Hello Gary,
Thank you for this release.
I'd like to point out to users of Commons Compress that this version
1.26.0 introduce a *new* dependency to commons-codec (for which it uses
the latest 1.16.1).
https://central.sonatype.com/artifact/org.apache.commons/commons-compress/dependencies
So
Hi Oliver,
What you point out is documented in the release notes [1] and the
site's changes section [2].
Don't confuse binary compatibility (formally defined by the JLS and we
follow) with "drop-in replacement" which can mean different things to
different people.
If you update the version of the
Hi,
Are there any more details on this issue? For instance, under what
circumstances would an application that uses the commons-compress library be
vulnerable? The subject line hints that the flaw is specific to the Dump
format. Is that correct? Are there any options that need to be enabled/dis
Hi Magnus and all,
This was discovered through fuzz testing, basically if some bits in
some parts of a file follow some pattern, then the infinite loop kicks
in. It only happens if your Commons Compress client code decides to
parse a DUMP file.
The ticket https://issues.apache.org/jira/browse/COM
Ses also https://github.com/google/oss-fuzz/pull/11616/files
Gary
On Mon, Feb 19, 2024 at 3:57 PM Gary Gregory wrote:
>
> Hi Magnus and all,
>
> This was discovered through fuzz testing, basically if some bits in
> some parts of a file follow some pattern, then the infinite loop kicks
> in. It o
Thank you, that clears things up a lot!
Best Regards
Magnus Reftel
On 2024/02/19 15:57:49 Gary Gregory wrote:
> Hi Magnus and all,
>
> This was discovered through fuzz testing, basically if some bits in
> some parts of a file follow some pattern, then the infinite loop kicks
> in. It only happens
