Bug 1618573 (CVE-2018-11771)
| Summary: | CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alazarot, anstephe, apevec, bbuckingham, bcourt, bkearney, bmcclain, btotty, cbyrne, chazlett, chrisw, cmacedo, dblechte, dfediuck, dffrench, drieden, drusso, eedri, etirelli, gvarsami, hhorak, hhudgeon, ibek, java-maint, java-sig-commits, jcoleman, jjoyce, jmadigan, jolee, jorton, jschatte, jschluet, jshepherd, jstastny, kbasil, kconner, krathod, kverlaen, ldimaggi, lgriffin, lhh, loleary, lpeer, lzap, markmc, mburns, mgoldboi, michal.skrivanek, mizdebsk, mkolesni, mmccune, ngough, nmoumoul, nwallace, ohadlevy, paradhya, pwright, rbryant, rchan, rjerrido, rrajasek, rsynek, rwagner, rzhang, sandro, sbonazzo, sclewis, sdaley, sherold, sisharma, slinaber, sokeeffe, SpikeFedora, spinder, tcunning, tdecacqu, theute, tkirby, trepel, vbellur, vhalbert, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apache-commons-compress 1.18 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-26 16:31:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1618574, 1618575, 1625463, 1625464, 1640713, 1640717, 1640719, 1651412 | ||
| Bug Blocks: | 1618576 | ||
|
Description
Sam Fowler
2018-08-17 02:22:45 UTC
Created apache-commons-compress tracking bugs for this issue: Affects: fedora-all [bug 1618574] Upstream ticket: https://issues.apache.org/jira/browse/COMPRESS-463 Upstream patch: https://github.com/apache/commons-compress/commit/a41ce689 Prior patches introducing tests: https://github.com/apache/commons-compress/commit/0fe6ae31 https://github.com/apache/commons-compress/commit/64ed6dde This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This vulnerability is out of security support scope for the following products: * JBoss Developer Studio 11 Please refer to https://access.redhat.com/node/4027141 for more details. This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-11771 Satellite 6.0 was shipping lucene4-contrib which has commons-compress embedded. It is EOL on February 21, 2018. ~~~ [ytale@cordelia manifests]$ cat manifest-eol.txt | grep satellite | grep commons-compres manifest-eol.txt:14677:rhn_satellite:6.0/lucene4-contrib-4.6.1-1.el6sat.noarch.rpm/Commons Compress/1.4.1/commons-compress-1.4.1.jar ~~~ Ref - https://access.redhat.com/support/policy/updates/satellite/ |