Security update for apache-commons-compress SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:2612-1 Final 1 1 2021-08-05T08:17:56Z current 2021-08-05T08:17:56Z 2021-08-05T08:17:56Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache-commons-compress This update for apache-commons-compress fixes the following issues: - Updated to 1.21 - CVE-2021-35515: Fixed an infinite loop when reading a specially crafted 7Z archive. (bsc#1188463) - CVE-2021-35516: Fixed an excessive memory allocation when reading a specially crafted 7Z archive. (bsc#1188464) - CVE-2021-35517: Fixed an excessive memory allocation when reading a specially crafted TAR archive. (bsc#1188465) - CVE-2021-36090: Fixed an excessive memory allocation when reading a specially crafted ZIP archive. (bsc#1188466) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/apache-pulsar:3.3-2021-2612,Container suse/manager/5.0/x86_64/server:latest-2021-2612,Container suse/multi-linux-manager/5.1/x86_64/server:latest-2021-2612,Image SLES15-SP4-Manager-Server-4-3-2021-2612,Image SLES15-SP4-Manager-Server-4-3-Azure-llc-2021-2612,Image SLES15-SP4-Manager-Server-4-3-Azure-ltd-2021-2612,Image SLES15-SP4-Manager-Server-4-3-BYOS-2021-2612,Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure-2021-2612,Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2-2021-2612,Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE-2021-2612,Image SLES15-SP4-Manager-Server-4-3-EC2-llc-2021-2612,Image SLES15-SP4-Manager-Server-4-3-EC2-ltd-2021-2612,Image server-image-2021-2612,SUSE-2021-2612,SUSE-SLE-Module-Development-Tools-15-SP2-2021-2612,SUSE-SLE-Module-Development-Tools-15-SP3-2021-2612 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20212612-1/ Link for SUSE-SU-2021:2612-1 https://lists.suse.com/pipermail/sle-security-updates/2021-August/009259.html E-Mail link for SUSE-SU-2021:2612-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188463 SUSE Bug 1188463 https://bugzilla.suse.com/1188464 SUSE Bug 1188464 https://bugzilla.suse.com/1188465 SUSE Bug 1188465 https://bugzilla.suse.com/1188466 SUSE Bug 1188466 https://www.suse.com/security/cve/CVE-2021-35515/ SUSE CVE CVE-2021-35515 page https://www.suse.com/security/cve/CVE-2021-35516/ SUSE CVE CVE-2021-35516 page https://www.suse.com/security/cve/CVE-2021-35517/ SUSE CVE CVE-2021-35517 page https://www.suse.com/security/cve/CVE-2021-36090/ SUSE CVE CVE-2021-36090 page Container containers/apache-pulsar:3.3 Container suse/manager/5.0/x86_64/server:latest Container suse/multi-linux-manager/5.1/x86_64/server:latest Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-EC2-llc Image SLES15-SP4-Manager-Server-4-3-EC2-ltd Image server-image SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 apache-commons-compress-1.21-3.3.1 apache-commons-compress-javadoc-1.21-3.3.1 apache-commons-compress-1.21-3.3.1 as a component of Container containers/apache-pulsar:3.3 apache-commons-compress-1.21-3.3.1 as a component of Container suse/manager/5.0/x86_64/server:latest apache-commons-compress-1.21-3.3.1 as a component of Container suse/multi-linux-manager/5.1/x86_64/server:latest apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3 apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-llc apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-Azure-ltd apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-llc apache-commons-compress-1.21-3.3.1 as a component of Image SLES15-SP4-Manager-Server-4-3-EC2-ltd apache-commons-compress-1.21-3.3.1 as a component of Image server-image apache-commons-compress-1.21-3.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 apache-commons-compress-1.21-3.3.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35515 Container containers/apache-pulsar:3.3:apache-commons-compress-1.21-3.3.1 Container suse/manager/5.0/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Container suse/multi-linux-manager/5.1/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3:apache-commons-compress-1.21-3.3.1 Image server-image:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-compress-1.21-3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212612-1/ https://www.suse.com/security/cve/CVE-2021-35515.html CVE-2021-35515 https://bugzilla.suse.com/1188463 SUSE Bug 1188463 When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. CVE-2021-35516 Container containers/apache-pulsar:3.3:apache-commons-compress-1.21-3.3.1 Container suse/manager/5.0/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Container suse/multi-linux-manager/5.1/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3:apache-commons-compress-1.21-3.3.1 Image server-image:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-compress-1.21-3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212612-1/ https://www.suse.com/security/cve/CVE-2021-35516.html CVE-2021-35516 https://bugzilla.suse.com/1188464 SUSE Bug 1188464 When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. CVE-2021-35517 Container containers/apache-pulsar:3.3:apache-commons-compress-1.21-3.3.1 Container suse/manager/5.0/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Container suse/multi-linux-manager/5.1/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3:apache-commons-compress-1.21-3.3.1 Image server-image:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-compress-1.21-3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212612-1/ https://www.suse.com/security/cve/CVE-2021-35517.html CVE-2021-35517 https://bugzilla.suse.com/1188465 SUSE Bug 1188465 https://bugzilla.suse.com/1188468 SUSE Bug 1188468 When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. CVE-2021-36090 Container containers/apache-pulsar:3.3:apache-commons-compress-1.21-3.3.1 Container suse/manager/5.0/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Container suse/multi-linux-manager/5.1/x86_64/server:latest:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-Azure-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-BYOS:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-llc:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3-EC2-ltd:apache-commons-compress-1.21-3.3.1 Image SLES15-SP4-Manager-Server-4-3:apache-commons-compress-1.21-3.3.1 Image server-image:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP2:apache-commons-compress-1.21-3.3.1 SUSE Linux Enterprise Module for Development Tools 15 SP3:apache-commons-compress-1.21-3.3.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20212612-1/ https://www.suse.com/security/cve/CVE-2021-36090.html CVE-2021-36090 https://bugzilla.suse.com/1188466 SUSE Bug 1188466 https://bugzilla.suse.com/1188469 SUSE Bug 1188469