Mageia alert MGASA-2014-0056 (plexus-archiver) [LWN.net]

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2014-0056: Updated plexus-archiver package fixes security vulnerability: 
Date:
    	       Wed, 12 Feb 2014 18:07:15 +0100
Message-ID:
    	       <20140212170715.CF5AB5C5CD@valstar.mageia.org>
MGASA-2014-0056 - Updated plexus-archiver package fixes security vulnerability:

Publication date: 12 Feb 2014
URL: http://advisories.mageia.org/MGASA-2014-0056.html
Type: security
Affected Mageia releases: 3
CVE: CVE-2012-2098

Description:
Algorithmic complexity vulnerability in the sorting algorithms in bzip2
compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress
before 1.4.1 allows remote attackers to cause a denial of service (CPU
consumption) via a file with many repeating inputs (CVE-2012-2098).

plexus-archiver used an embedded copy of the affected code from Apache
Commons Compress, and therefore was affected by this.  It has been patched
to use the apache-commons-compress package, in which this issue has already
been fixed, for bzip2 compression and decompression.

References:
- https://bugs.mageia.org/show_bug.cgi?id=6331
- https://lists.fedoraproject.org/pipermail/package-announc...
- https://lists.fedoraproject.org/pipermail/package-announc...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098

SRPMS:
- 3/core/plexus-archiver-2.3-1.1.mga3

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2014-0056: Updated plexus-archiver package fixes security vulnerability:
Date:		Wed, 12 Feb 2014 18:07:15 +0100
Message-ID:		<20140212170715.CF5AB5C5CD@valstar.mageia.org>