apache-commons-compress-1.21-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10618-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z apache-commons-compress-1.21-1.2 on GA media These are all security issues fixed in the apache-commons-compress-1.21-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10618 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-12402/ SUSE CVE CVE-2019-12402 page https://www.suse.com/security/cve/CVE-2021-35515/ SUSE CVE CVE-2021-35515 page https://www.suse.com/security/cve/CVE-2021-35516/ SUSE CVE CVE-2021-35516 page https://www.suse.com/security/cve/CVE-2021-35517/ SUSE CVE CVE-2021-35517 page https://www.suse.com/security/cve/CVE-2021-36090/ SUSE CVE CVE-2021-36090 page openSUSE Tumbleweed apache-commons-compress-1.21-1.2 apache-commons-compress-javadoc-1.21-1.2 apache-commons-compress-1.21-1.2 as a component of openSUSE Tumbleweed apache-commons-compress-javadoc-1.21-1.2 as a component of openSUSE Tumbleweed The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. CVE-2019-12402 openSUSE Tumbleweed:apache-commons-compress-1.21-1.2 openSUSE Tumbleweed:apache-commons-compress-javadoc-1.21-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12402.html CVE-2019-12402 https://bugzilla.suse.com/1148475 SUSE Bug 1148475 When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35515 openSUSE Tumbleweed:apache-commons-compress-1.21-1.2 openSUSE Tumbleweed:apache-commons-compress-javadoc-1.21-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-35515.html CVE-2021-35515 https://bugzilla.suse.com/1188463 SUSE Bug 1188463 When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35516 openSUSE Tumbleweed:apache-commons-compress-1.21-1.2 openSUSE Tumbleweed:apache-commons-compress-javadoc-1.21-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-35516.html CVE-2021-35516 https://bugzilla.suse.com/1188464 SUSE Bug 1188464 When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. CVE-2021-35517 openSUSE Tumbleweed:apache-commons-compress-1.21-1.2 openSUSE Tumbleweed:apache-commons-compress-javadoc-1.21-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-35517.html CVE-2021-35517 https://bugzilla.suse.com/1188465 SUSE Bug 1188465 https://bugzilla.suse.com/1188468 SUSE Bug 1188468 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. CVE-2021-36090 openSUSE Tumbleweed:apache-commons-compress-1.21-1.2 openSUSE Tumbleweed:apache-commons-compress-javadoc-1.21-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-36090.html CVE-2021-36090 https://bugzilla.suse.com/1188466 SUSE Bug 1188466 https://bugzilla.suse.com/1188469 SUSE Bug 1188469