{"id":"MGASA-2019-0001","summary":"Updated pache-commons-compress packages fix security vulnerabilities","details":"A flaw was found in Apache Commons Compress versions 1.11 to 1.15. A\nspecially crafted ZIP archive can be used to cause an infinite loop\ninside of Apache Commons Compress' extra field parser used by the\nZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15.\nThis can be used to mount a denial of service attack against services\nthat use Compress' zip package (CVE-2018-1324).\n\nApache Commons Compress versions 1.7 to 1.17 are vulnerable to a denial\nof service attack via crafted ZIP archive. When reading a specially\ncrafted ZIP archive, the read method of ZipArchiveInputStream can fail\nto return the correct EOF indication after the end of the stream has\nbeen reached.  When combined with a java.io.InputStreamReader this can\nlead to an infinite stream, which can be used to mount a denial of\nservice attack against services that use Compress' zip package\n(CVE-2018-11771).\n","modified":"2026-04-16T01:48:01.436672453Z","published":"2019-01-05T18:30:16Z","upstream":["CVE-2018-11771","CVE-2018-1324"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2019-0001.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22787"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UJ7GKBUCVEHQVGOXIOT6EWCRVDZJMHGK/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLKWBUZ7KVAJV6VZAY2UYW5JIEVMRT2R/"}],"affected":[{"package":{"name":"apache-commons-compress","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/apache-commons-compress?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12-1.2.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2019-0001.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}