https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Bug ID: 1557542 Summary: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: bmcclain@redhat.com, dblechte@redhat.com, eedri@redhat.com, hhorak@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jorton@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, sandro@mathys.io, sbonazzo@redhat.com, sherold@redhat.com, SpikeFedora@gmail.com, ykaul@redhat.com, ylavi@redhat.com
A flaw was found in Apache Commons Compress versions 1.11 to 1.15. A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Upstream patch:
https://git-wip-us.apache.org/repos/asf?p=commons-compress.git;a=blobdiff;f=...
Upstream issue:
https://issues.apache.org/jira/browse/COMPRESS-432
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1557543
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created apache-commons-compress tracking bugs for this issue:
Affects: fedora-all [bug 1557543]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1557543 [Bug 1557543] CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
--- Comment #2 from Pedro Sampaio psampaio@redhat.com --- External References:
https://commons.apache.org/proper/commons-compress/security-reports.html
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1557544
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc@redhat.com, | |alazarot@redhat.com, | |anstephe@redhat.com, | |avibelli@redhat.com, | |bcourt@redhat.com, | |bgeorges@redhat.com, | |bkearney@redhat.com, | |chazlett@redhat.com, | |cmoulliard@redhat.com, | |dffrench@redhat.com, | |drieden@redhat.com, | |drusso@redhat.com, | |etirelli@redhat.com, | |gvarsami@redhat.com, | |ibek@redhat.com, | |jbalunas@redhat.com, | |jcoleman@redhat.com, | |jmadigan@redhat.com, | |jmatthew@redhat.com, | |jolee@redhat.com, | |jpallich@redhat.com, | |jschatte@redhat.com, | |jshepherd@redhat.com, | |jstastny@redhat.com, | |kconner@redhat.com, | |kverlaen@redhat.com, | |ldimaggi@redhat.com, | |lgriffin@redhat.com, | |lpetrovi@redhat.com, | |lthon@redhat.com, | |mmccune@redhat.com, | |mrike@redhat.com, | |mszynkie@redhat.com, | |ngough@redhat.com, | |nwallace@redhat.com, | |ohadlevy@redhat.com, | |paradhya@redhat.com, | |pavelp@redhat.com, | |pgallagh@redhat.com, | |pszubiak@redhat.com, | |pwright@redhat.com, | |rchan@redhat.com, | |rrajasek@redhat.com, | |rruss@redhat.com, | |rsynek@redhat.com, | |rwagner@redhat.com, | |rzhang@redhat.com, | |sdaley@redhat.com, | |sisharma@redhat.com, | |smohan@redhat.com, | |ssaha@redhat.com, | |tcunning@redhat.com, | |tjay@redhat.com, | |tkirby@redhat.com, | |trepel@redhat.com, | |trogers@redhat.com, | |tsanders@redhat.com, | |vbellur@redhat.com, | |vhalbert@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:N/A:H,fedora-all/apache-c |I:N/A:H,fedora-all/apache-c |ommons-compress=affected,rh |ommons-compress=affected,rh |el-7/apache-commons-compres |el-7/apache-commons-compres |s=new,rhev-m-4/apache-commo |s=new,rhev-m-4/apache-commo |ns-compress=new,rhscl-3/rh- |ns-compress=new,rhscl-3/rh- |java-common-apache-commons- |java-common-apache-commons- |compress=new,rhscl-3/rh-mav |compress=new,rhscl-3/rh-mav |en35-apache-commons-compres |en35-apache-commons-compres |s=new,rhel-8/apache-commons |s=new,rhel-8/apache-commons |-compress=new |-compress=new,bpms-6/common | |s-compress=new,jdv-6/common | |s-compress=new,brms-5/commo | |ns-compress=new,brms-6/comm | |ons-compress=new,jbds-11/co | |mmons-compress=new,fsw-6/co | |mmons-compress=new,fuse-6/c | |ommons-compress=new,rhn_sat | |ellite_6/commons-compress=n | |ew,rhscon-2/commons-compres | |s=new,rhes-3/commons-compre | |ss=new,rhmap-4/commons-comp | |ress=new,vertx-3/commons-co | |mpress=new
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |apevec@redhat.com, | |chrisw@redhat.com, | |jjoyce@redhat.com, | |jschluet@redhat.com, | |kbasil@redhat.com, | |lhh@redhat.com, | |lpeer@redhat.com, | |markmc@redhat.com, | |mburns@redhat.com, | |mkolesni@redhat.com, | |nyechiel@redhat.com, | |rbryant@redhat.com, | |sclewis@redhat.com, | |slinaber@redhat.com, | |tdecacqu@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:N/A:H,fedora-all/apache-c |I:N/A:H,fedora-all/apache-c |ommons-compress=affected,rh |ommons-compress=affected,rh |el-7/apache-commons-compres |el-7/apache-commons-compres |s=new,rhev-m-4/apache-commo |s=new,rhev-m-4/apache-commo |ns-compress=new,rhscl-3/rh- |ns-compress=new,rhscl-3/rh- |java-common-apache-commons- |java-common-apache-commons- |compress=new,rhscl-3/rh-mav |compress=new,rhscl-3/rh-mav |en35-apache-commons-compres |en35-apache-commons-compres |s=new,rhel-8/apache-commons |s=new,rhel-8/apache-commons |-compress=new,bpms-6/common |-compress=new,bpms-6/common |s-compress=new,jdv-6/common |s-compress=new,jdv-6/common |s-compress=new,brms-5/commo |s-compress=new,brms-5/commo |ns-compress=new,brms-6/comm |ns-compress=new,brms-6/comm |ons-compress=new,jbds-11/co |ons-compress=new,jbds-11/co |mmons-compress=new,fsw-6/co |mmons-compress=new,fsw-6/co |mmons-compress=new,fuse-6/c |mmons-compress=new,fuse-6/c |ommons-compress=new,rhn_sat |ommons-compress=new,rhn_sat |ellite_6/commons-compress=n |ellite_6/commons-compress=n |ew,rhscon-2/commons-compres |ew,rhscon-2/commons-compres |s=new,rhes-3/commons-compre |s=new,rhes-3/commons-compre |ss=new,rhmap-4/commons-comp |ss=new,rhmap-4/commons-comp |ress=new,vertx-3/commons-co |ress=new,vertx-3/commons-co |mpress=new |mpress=new,openstack-8/open | |daylight=new,openstack-9/op | |endaylight=new
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:N/A:H,fedora-all/apache-c |I:N/A:H,fedora-all/apache-c |ommons-compress=affected,rh |ommons-compress=affected,rh |el-7/apache-commons-compres |el-7/apache-commons-compres |s=new,rhev-m-4/apache-commo |s=new,rhev-m-4/apache-commo |ns-compress=new,rhscl-3/rh- |ns-compress=new,rhscl-3/rh- |java-common-apache-commons- |java-common-apache-commons- |compress=new,rhscl-3/rh-mav |compress=new,rhscl-3/rh-mav |en35-apache-commons-compres |en35-apache-commons-compres |s=new,rhel-8/apache-commons |s=new,rhel-8/apache-commons |-compress=new,bpms-6/common |-compress=new,bpms-6/common |s-compress=new,jdv-6/common |s-compress=new,jdv-6/common |s-compress=new,brms-5/commo |s-compress=new,brms-5/commo |ns-compress=new,brms-6/comm |ns-compress=new,brms-6/comm |ons-compress=new,jbds-11/co |ons-compress=new,jbds-11/co |mmons-compress=new,fsw-6/co |mmons-compress=new,fsw-6/co |mmons-compress=new,fuse-6/c |mmons-compress=new,fuse-6/c |ommons-compress=new,rhn_sat |ommons-compress=new,rhn_sat |ellite_6/commons-compress=n |ellite_6/commons-compress=n |ew,rhscon-2/commons-compres |otaffected,rhscon-2/commons |s=new,rhes-3/commons-compre |-compress=new,rhes-3/common |ss=new,rhmap-4/commons-comp |s-compress=new,rhmap-4/comm |ress=new,vertx-3/commons-co |ons-compress=new,vertx-3/co |mpress=new,openstack-8/open |mmons-compress=new,openstac |daylight=new,openstack-9/op |k-8/opendaylight=new,openst |endaylight=new |ack-9/opendaylight=new
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
--- Comment #3 from Kurt Seifried kseifried@redhat.com --- Statement:
This issue affects the versions of lucene4 as shipped with Red Hat Enterprise Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not include the lucene4 component and are not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:N/A:H,fedora-all/apache-c |I:N/A:H,cwe=129,fedora-all/ |ommons-compress=affected,rh |apache-commons-compress=aff |el-7/apache-commons-compres |ected,rhel-7/apache-commons |s=new,rhev-m-4/apache-commo |-compress=new,rhev-m-4/apac |ns-compress=new,rhscl-3/rh- |he-commons-compress=new,rhs |java-common-apache-commons- |cl-3/rh-java-common-apache- |compress=new,rhscl-3/rh-mav |commons-compress=new,rhscl- |en35-apache-commons-compres |3/rh-maven35-apache-commons |s=new,rhel-8/apache-commons |-compress=new,rhel-8/apache |-compress=new,bpms-6/common |-commons-compress=new,bpms- |s-compress=new,jdv-6/common |6/commons-compress=new,jdv- |s-compress=new,brms-5/commo |6/commons-compress=new,brms |ns-compress=new,brms-6/comm |-5/commons-compress=new,brm |ons-compress=new,jbds-11/co |s-6/commons-compress=new,jb |mmons-compress=new,fsw-6/co |ds-11/commons-compress=new, |mmons-compress=new,fuse-6/c |fsw-6/commons-compress=new, |ommons-compress=new,rhn_sat |fuse-6/commons-compress=new |ellite_6/commons-compress=n |,rhn_satellite_6/commons-co |otaffected,rhscon-2/commons |mpress=notaffected,rhscon-2 |-compress=new,rhes-3/common |/commons-compress=new,rhes- |s-compress=new,rhmap-4/comm |3/commons-compress=new,rhma |ons-compress=new,vertx-3/co |p-4/commons-compress=new,ve |mmons-compress=new,openstac |rtx-3/commons-compress=new, |k-8/opendaylight=new,openst |openstack-8/opendaylight=af |ack-9/opendaylight=new |fected,openstack-9/opendayl | |ight=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1558341
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1558342
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Siddharth Sharma sisharma@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=6.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |I:N/A:H,cwe=129,fedora-all/ |I:N/A:H,cwe=129,fedora-all/ |apache-commons-compress=aff |apache-commons-compress=aff |ected,rhel-7/apache-commons |ected,rhel-7/apache-commons |-compress=new,rhev-m-4/apac |-compress=new,rhev-m-4/apac |he-commons-compress=new,rhs |he-commons-compress=new,rhs |cl-3/rh-java-common-apache- |cl-3/rh-java-common-apache- |commons-compress=new,rhscl- |commons-compress=new,rhscl- |3/rh-maven35-apache-commons |3/rh-maven35-apache-commons |-compress=new,rhel-8/apache |-compress=new,rhel-8/apache |-commons-compress=new,bpms- |-commons-compress=new,bpms- |6/commons-compress=new,jdv- |6/commons-compress=new,jdv- |6/commons-compress=new,brms |6/commons-compress=new,brms |-5/commons-compress=new,brm |-5/commons-compress=new,brm |s-6/commons-compress=new,jb |s-6/commons-compress=new,jb |ds-11/commons-compress=new, |ds-11/commons-compress=new, |fsw-6/commons-compress=new, |fsw-6/commons-compress=new, |fuse-6/commons-compress=new |fuse-6/commons-compress=new |,rhn_satellite_6/commons-co |,rhn_satellite_6/commons-co |mpress=notaffected,rhscon-2 |mpress=notaffected,rhes-3/c |/commons-compress=new,rhes- |ommons-compress=notaffected |3/commons-compress=new,rhma |,rhmap-4/commons-compress=n |p-4/commons-compress=new,ve |ew,vertx-3/commons-compress |rtx-3/commons-compress=new, |=new,openstack-8/opendaylig |openstack-8/opendaylight=af |ht=affected,openstack-9/ope |fected,openstack-9/opendayl |ndaylight=affected |ight=affected |
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
--- Comment #5 from Fedora Update System updates@fedoraproject.org --- apache-commons-compress-1.13-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
--- Comment #6 from Fedora Update System updates@fedoraproject.org --- apache-commons-compress-1.14-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1557542 Bug 1557542 depends on bug 1557543, which changed state.
Bug 1557543 Summary: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1557543
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|Apache Commons Compress |apache-commons-compress |1.16 |1.16 Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=6.5/CVSS:3.0/A |ce=cve,cvss3=7.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:U/C:N/ |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |I:N/A:H,cwe=129,fedora-all/ |I:N/A:H,cwe=CWE-190->CWE-83 |apache-commons-compress=aff |5,fedora-all/apache-commons |ected,rhel-7/apache-commons |-compress=affected,rhel-7/a |-compress=new,rhev-m-4/apac |pache-commons-compress=nota |he-commons-compress=new,rhs |ffected,rhev-m-4/apache-com |cl-3/rh-java-common-apache- |mons-compress=notaffected,r |commons-compress=new,rhscl- |hscl-3/rh-java-common-apach |3/rh-maven35-apache-commons |e-commons-compress=notaffec |-compress=new,rhel-8/apache |ted,rhscl-3/rh-maven35-apac |-commons-compress=new,bpms- |he-commons-compress=affecte |6/commons-compress=new,jdv- |d,rhel-8/apache-commons-com |6/commons-compress=new,brms |press=affected,bpms-6/commo |-5/commons-compress=new,brm |ns-compress=new,jdv-6/commo |s-6/commons-compress=new,jb |ns-compress=new,brms-5/comm |ds-11/commons-compress=new, |ons-compress=new,brms-6/com |fsw-6/commons-compress=new, |mons-compress=new,jbds-11/c |fuse-6/commons-compress=new |ommons-compress=new,fsw-6/c |,rhn_satellite_6/commons-co |ommons-compress=new,fuse-6/ |mpress=notaffected,rhes-3/c |commons-compress=new,rhn_sa |ommons-compress=notaffected |tellite_6/commons-compress= |,rhmap-4/commons-compress=n |notaffected,rhes-3/commons- |ew,vertx-3/commons-compress |compress=notaffected,rhmap- |=new,openstack-8/opendaylig |4/commons-compress=new,vert |ht=affected,openstack-9/ope |x-3/commons-compress=new,op |ndaylight=affected |enstack-8/opendaylight=affe | |cted,openstack-9/opendaylig | |ht=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1563526, 1563527
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hghasemb@redhat.com, | |krathod@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=7.5/CVSS:3.0/A |ce=cve,cvss3=7.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |I:N/A:H,cwe=CWE-190->CWE-83 |I:N/A:H,cwe=CWE-190->CWE-83 |5,fedora-all/apache-commons |5,fedora-all/apache-commons |-compress=affected,rhel-7/a |-compress=affected,rhel-7/a |pache-commons-compress=nota |pache-commons-compress=nota |ffected,rhev-m-4/apache-com |ffected,rhev-m-4/apache-com |mons-compress=notaffected,r |mons-compress=notaffected,r |hscl-3/rh-java-common-apach |hscl-3/rh-java-common-apach |e-commons-compress=notaffec |e-commons-compress=notaffec |ted,rhscl-3/rh-maven35-apac |ted,rhscl-3/rh-maven35-apac |he-commons-compress=affecte |he-commons-compress=affecte |d,rhel-8/apache-commons-com |d,rhel-8/apache-commons-com |press=affected,bpms-6/commo |press=affected,bpms-6/commo |ns-compress=new,jdv-6/commo |ns-compress=notaffected,jdv |ns-compress=new,brms-5/comm |-6/commons-compress=wontfix |ons-compress=new,brms-6/com |,brms-5/commons-compress=no |mons-compress=new,jbds-11/c |taffected,brms-6/commons-co |ommons-compress=new,fsw-6/c |mpress=notaffected,jbds-11/ |ommons-compress=new,fuse-6/ |commons-compress=notaffecte |commons-compress=new,rhn_sa |d,fsw-6/commons-compress=no |tellite_6/commons-compress= |taffected,fuse-6/commons-co |notaffected,rhes-3/commons- |mpress=notaffected,rhn_sate |compress=notaffected,rhmap- |llite_6/commons-compress=no |4/commons-compress=new,vert |taffected,rhes-3/commons-co |x-3/commons-compress=new,op |mpress=notaffected,rhmap-4/ |enstack-8/opendaylight=affe |commons-compress=new,vertx- |cted,openstack-9/opendaylig |3/commons-compress=notaffec |ht=affected |ted,openstack-8/opendayligh | |t=affected,openstack-9/open | |daylight=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1557542
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ppenicka@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0316,reported=20180316,sour |0316,reported=20180316,sour |ce=cve,cvss3=7.5/CVSS:3.0/A |ce=cve,cvss3=7.5/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |V:N/AC:L/PR:N/UI:N/S:U/C:N/ |I:N/A:H,cwe=CWE-190->CWE-83 |I:N/A:H,cwe=CWE-190->CWE-83 |5,fedora-all/apache-commons |5,fedora-all/apache-commons |-compress=affected,rhel-7/a |-compress=affected,rhel-7/a |pache-commons-compress=nota |pache-commons-compress=nota |ffected,rhev-m-4/apache-com |ffected,rhev-m-4/apache-com |mons-compress=notaffected,r |mons-compress=notaffected,r |hscl-3/rh-java-common-apach |hscl-3/rh-java-common-apach |e-commons-compress=notaffec |e-commons-compress=notaffec |ted,rhscl-3/rh-maven35-apac |ted,rhscl-3/rh-maven35-apac |he-commons-compress=affecte |he-commons-compress=affecte |d,rhel-8/apache-commons-com |d,rhel-8/apache-commons-com |press=affected,bpms-6/commo |press=affected,bpms-6/commo |ns-compress=notaffected,jdv |ns-compress=notaffected,jdv |-6/commons-compress=wontfix |-6/commons-compress=wontfix |,brms-5/commons-compress=no |,brms-5/commons-compress=no |taffected,brms-6/commons-co |taffected,brms-6/commons-co |mpress=notaffected,jbds-11/ |mpress=notaffected,jbds-11/ |commons-compress=notaffecte |commons-compress=notaffecte |d,fsw-6/commons-compress=no |d,fsw-6/commons-compress=no |taffected,fuse-6/commons-co |taffected,fuse-6/commons-co |mpress=notaffected,rhn_sate |mpress=notaffected,rhn_sate |llite_6/commons-compress=no |llite_6/commons-compress=no |taffected,rhes-3/commons-co |taffected,rhes-3/commons-co |mpress=notaffected,rhmap-4/ |mpress=notaffected,rhmap-4/ |commons-compress=new,vertx- |commons-compress=notaffecte |3/commons-compress=notaffec |d,vertx-3/commons-compress= |ted,openstack-8/opendayligh |notaffected,openstack-8/ope |t=affected,openstack-9/open |ndaylight=affected,openstac |daylight=affected |k-9/opendaylight=affected
--- Comment #9 from Jason Shepherd jshepherd@redhat.com --- RHMAP has a dependency on commons-compress because it's required by log4j-core. Log4j-core only uses commons-compress for compression of log files, and doesn't provide any decompression functionality. Therefore log4j-core and RHMAP are not affected by this flaw.
java-sig-commits@lists.fedoraproject.org