Bugzilla – Bug 1220068
VUL-0: CVE-2024-26308: apache-commons-compress: OutOfMemoryError unpacking broken Pack200 file
Last modified: 2024-03-05 16:58:08 UTC
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26308 https://www.cve.org/CVERecord?id=CVE-2024-26308 https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg https://seclists.org/oss-sec/2024/q1/142
We are not vulnerable for this particular vulnerability, since we are removing the deprecated Pack200 compressor. I will still do an upgrade because of the other vulnerability.
Perfect, thank you, let us know when the version without the capability of parsing Pack200 file will be published.
(In reply to Andrea Mattiazzo from comment #3) > Perfect, thank you, let us know when the version without the capability of > parsing Pack200 file will be published. I will be not putting back the Pack200 capacity since it is deprecated format that does not even exist in newer Javas like JDK 17 or JDK 21. But I just made a submit to factory and will soon do also to sle and alp, just a small change to xmvn package is also needed to be able to use it with a new apache-commons-compress, since it requires an additional dependency.
SUSE-SU-2024:0726-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1220068, 1220070 CVE References: CVE-2024-25710, CVE-2024-26308 Sources used: SUSE Manager Server 4.3 Module 4.3 (src): apache-commons-compress-1.26.0-150200.3.16.1, apache-commons-codec-1.16.1-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 SUSE Manager Proxy 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1 SUSE Manager Retail Branch Server 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1 SUSE Manager Server 4.3 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1 SUSE Enterprise Storage 7.1 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, apache-commons-compress-1.26.0-150200.3.16.1, xmvn-tools-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 openSUSE Leap 15.5 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, apache-commons-io-2.15.1-150200.3.12.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-javadoc-plugin-bootstrap-3.6.0-150200.4.10.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, maven-resources-plugin-bootstrap-3.3.1-150200.3.12.1, apache-commons-compress-1.26.0-150200.3.16.1, maven-jar-plugin-bootstrap-3.3.0-150200.3.10.1, xmvn-tools-4.2.0-150200.3.18.1, sbt-bootstrap-0.13.18-150200.4.19.7, maven-assembly-plugin-3.6.0-150200.3.10.1, xmvn-parent-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, maven-reporting-impl-3.2.0-150200.4.6.2, xmvn-4.2.0-150200.3.18.1, apache-commons-codec-1.16.1-150200.3.9.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, sbt-0.13.18-150200.4.19.7, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1 Basesystem Module 15-SP5 (src): apache-commons-codec-1.16.1-150200.3.9.1, apache-commons-io-2.15.1-150200.3.12.1 Development Tools Module 15-SP5 (src): maven-doxia-sitetools-1.11.1-150200.3.7.1, maven-doxia-1.12.0-150200.4.7.2, xmvn-connector-4.2.0-150200.3.18.1, maven-resolver-1.9.18-150200.3.17.2, xmvn-4.2.0-150200.3.18.1, maven-resources-plugin-3.3.1-150200.3.12.1, maven-3.9.6-150200.4.21.2, maven-jar-plugin-3.3.0-150200.3.10.1, xmvn-mojo-4.2.0-150200.3.18.1, javapackages-meta-6.2.0-150200.3.7.1, maven-reporting-api-3.1.1-150200.3.7.1, apache-commons-compress-1.26.0-150200.3.16.1, maven-javadoc-plugin-3.6.0-150200.4.10.1, apache-commons-configuration2-2.9.0-150200.5.5.1, xmvn-tools-4.2.0-150200.3.18.1 SUSE Package Hub 15 15-SP5 (src): sbt-bootstrap-0.13.18-150200.4.19.7, sbt-0.13.18-150200.4.19.7 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed, please close.
Closing.