Security update for apache-commons-compress SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1115-1 Final 1 1 2021-08-09T22:43:19Z current 2021-08-09T22:43:19Z 2021-08-09T22:43:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache-commons-compress This update for apache-commons-compress fixes the following issues: - Updated to 1.21 - CVE-2021-35515: Fixed an infinite loop when reading a specially crafted 7Z archive. (bsc#1188463) - CVE-2021-35516: Fixed an excessive memory allocation when reading a specially crafted 7Z archive. (bsc#1188464) - CVE-2021-35517: Fixed an excessive memory allocation when reading a specially crafted TAR archive. (bsc#1188465) - CVE-2021-36090: Fixed an excessive memory allocation when reading a specially crafted ZIP archive. (bsc#1188466) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1115 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YA4IHX4VRW7LQHM7JIEPOCPE46TRW6MV/ E-Mail link for openSUSE-SU-2021:1115-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188463 SUSE Bug 1188463 https://bugzilla.suse.com/1188464 SUSE Bug 1188464 https://bugzilla.suse.com/1188465 SUSE Bug 1188465 https://bugzilla.suse.com/1188466 SUSE Bug 1188466 https://www.suse.com/security/cve/CVE-2021-35515/ SUSE CVE CVE-2021-35515 page https://www.suse.com/security/cve/CVE-2021-35516/ SUSE CVE CVE-2021-35516 page https://www.suse.com/security/cve/CVE-2021-35517/ SUSE CVE CVE-2021-35517 page https://www.suse.com/security/cve/CVE-2021-36090/ SUSE CVE CVE-2021-36090 page openSUSE Leap 15.2 apache-commons-compress-1.21-lp152.2.3.1 apache-commons-compress-javadoc-1.21-lp152.2.3.1 apache-commons-compress-1.21-lp152.2.3.1 as a component of openSUSE Leap 15.2 apache-commons-compress-javadoc-1.21-lp152.2.3.1 as a component of openSUSE Leap 15.2 When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35515 openSUSE Leap 15.2:apache-commons-compress-1.21-lp152.2.3.1 openSUSE Leap 15.2:apache-commons-compress-javadoc-1.21-lp152.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YA4IHX4VRW7LQHM7JIEPOCPE46TRW6MV/ https://www.suse.com/security/cve/CVE-2021-35515.html CVE-2021-35515 https://bugzilla.suse.com/1188463 SUSE Bug 1188463 When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35516 openSUSE Leap 15.2:apache-commons-compress-1.21-lp152.2.3.1 openSUSE Leap 15.2:apache-commons-compress-javadoc-1.21-lp152.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YA4IHX4VRW7LQHM7JIEPOCPE46TRW6MV/ https://www.suse.com/security/cve/CVE-2021-35516.html CVE-2021-35516 https://bugzilla.suse.com/1188464 SUSE Bug 1188464 When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. CVE-2021-35517 openSUSE Leap 15.2:apache-commons-compress-1.21-lp152.2.3.1 openSUSE Leap 15.2:apache-commons-compress-javadoc-1.21-lp152.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YA4IHX4VRW7LQHM7JIEPOCPE46TRW6MV/ https://www.suse.com/security/cve/CVE-2021-35517.html CVE-2021-35517 https://bugzilla.suse.com/1188465 SUSE Bug 1188465 https://bugzilla.suse.com/1188468 SUSE Bug 1188468 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. CVE-2021-36090 openSUSE Leap 15.2:apache-commons-compress-1.21-lp152.2.3.1 openSUSE Leap 15.2:apache-commons-compress-javadoc-1.21-lp152.2.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YA4IHX4VRW7LQHM7JIEPOCPE46TRW6MV/ https://www.suse.com/security/cve/CVE-2021-36090.html CVE-2021-36090 https://bugzilla.suse.com/1188466 SUSE Bug 1188466 https://bugzilla.suse.com/1188469 SUSE Bug 1188469