ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <>
Subject [CVE-2012-2098] Apache Commons Compress and Apache Ant denial of service vulnerability
Date Wed, 23 May 2012 14:00:48 GMT
Severity: Low

The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.0 to 1.4
Apache Ant 1.5 to 1.8.3

The bzip2 compressing streams in Apache Commons Compress and Apache Ant
internally use sorting algorithms with unacceptable worst-case
performance on very repetitive inputs.  A specially crafted input to
Compress' BZip2CompressorOutputStream or Ant's <bzip2> task can be used
to make the process spend a very long time while using up all available
processing time effectively leading to a denial of service.

Commons Compress users should upgrade to 1.4.1
Ant users should upgrade to 1.8.4

This issue was discovered by David Jorm of the Red Hat Security Response


Stefan Bodewig

View raw message