drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cong Luo (Jira)" <j...@apache.org>
Subject [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090
Date Wed, 04 Aug 2021 03:33:00 GMT
Cong Luo created DRILL-7981:
-------------------------------

             Summary: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090
                 Key: DRILL-7981
                 URL: https://issues.apache.org/jira/browse/DRILL-7981
             Project: Apache Drill
          Issue Type: Improvement
            Reporter: Cong Luo
            Assignee: Cong Luo
             Fix For: 1.20.0


When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts
of memory that finally leads to an out of memory error even for very small inputs. This could
be used to mount a denial of service attack against services that use Compress' zip package.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message