site updates post-release
git-svn-id: https://svn.apache.org/repos/asf/commons/proper/compress/trunk@1341872 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index b341ae4..4a62fe6 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -1,4 +1,4 @@
- Apache Commons Compress 1.4 RELEASE NOTES
+ Apache Commons Compress 1.4.1 RELEASE NOTES
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200 and ar, cpio, jar, tar, zip, dump.
@@ -8,10 +8,16 @@
Changes in this version include:
Fixed Bugs:
+
o Ported libbzip2's fallback sort algorithm to
- BZip2CompressorOutputStream to speed up compression in certain
- edge cases.
+ BZip2CompressorOutputStream to speed up compression in certain edge
+ cases.
+ Using specially crafted inputs this can be used as a denial of
+ service attack. See
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
+
+
For complete information on Commons Compress, including instructions on how to submit bug reports,
patches, or suggestions for improvement, see the Apache Commons Compress website:
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 08b089f..a8d3d1f 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -42,12 +42,15 @@
<title>commons-compress</title>
</properties>
<body>
- <release version="1.4.1" date="unreleased"
+ <release version="1.4.1" date="2012-05-23"
description="Release 1.4.1">
<action type="fix" date="2012-05-20">
Ported libbzip2's fallback sort algorithm to
BZip2CompressorOutputStream to speed up compression in certain
edge cases.
+
+ Using specially crafted inputs this can be used as a denial
+ of service attack. See the security reports page for details.
</action>
</release>
<release version="1.4" date="2012-04-11"
diff --git a/src/site/site.xml b/src/site/site.xml
index bd977f4..ffeee4f 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -32,6 +32,7 @@
<item name="Conventions" href="/conventions.html"/>
<item name="Issue Tracking" href="/issue-tracking.html"/>
<item name="Download" href="/download_compress.cgi"/>
+ <item name="Security Reports" href="/security.html"/>
<item name="Wiki" href="http://wiki.apache.org/commons/Compress"/>
</menu>
</body>
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index 724c31a..8eeca39 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -48,12 +48,17 @@
</ul>
<subsection name="Status">
<ul>
- <li>The code has been released as version 1.4</li>
+ <li>The current release is 1.4.1. This release fixes
+ a denial of service flaw in
+ <code>BZip2CompressorOutputStream</code> that is
+ present in all earlier versions of Commons Compress.
+ For details see the <a href="security.html">security
+ reports page</a>.</li>
</ul>
</subsection>
</section>
<section name="Documentation">
- <p>Commons Compress 1.4 requires Java 5.</p>
+ <p>Commons Compress 1.4.1 requires Java 5.</p>
<p>The compress component is split into <em>compressors</em> and
<em>archivers</em>. While <em>compressors</em>
@@ -94,7 +99,7 @@
</section>
<section name="Releases">
<p>
- The latest version v1.4, is Java5 compatible -
+ The latest version v1.4.1, is Java5 compatible -
<a href="http://commons.apache.org/compress/download_compress.cgi">Download now!</a>
</p>
</section>
diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
new file mode 100644
index 0000000..30d99c0
--- /dev/null
+++ b/src/site/xdoc/security.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0"?>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<document>
+ <properties>
+ <title>Commons Compress Security Reports</title>
+ <author email="dev@commons.apache.org">Commons Documentation Team</author>
+ </properties>
+ <body>
+ <section name="Reporting New Security Problems with Apache Commons Compress">
+ <p>The Apache Software Foundation takes a very active stance
+ in eliminating security problems and denial of service attacks
+ against its products.</p>
+
+ <p>We strongly encourage folks to report such problems to our
+ private security mailing list first, before disclosing them in
+ a public forum.</p>
+
+ <p>Please note that the security mailing list should only be
+ used for reporting undisclosed security vulnerabilities and
+ managing the process of fixing such vulnerabilities. We cannot
+ accept regular bug reports or other queries at this
+ address. All mail sent to this address that does not relate to
+ an undisclosed security problem in our source code will be
+ ignored.</p>
+
+ <p>If you need to report a bug that isn't an undisclosed
+ security vulnerability, please use the <a
+ href="issue-tracking.html">bug reporting page</a>.</p>
+
+ <p>Questions about:</p>
+
+ <ul>
+ <li>if a vulnerability applies to your particular application</li>
+ <li>obtaining further information on a published vulnerability</li>
+ <li>availability of patches and/or new releases</li>
+ </ul>
+
+ <p>should be addressed to the users mailing list. Please see
+ the <a href="mail-lists.html">mailing lists page</a> for
+ details of how to subscribe.</p>
+
+ <p>The private security mailing address is: <a
+ href="mailto:security@apache.org">security@apache.org</a></p>
+ </section>
+
+ <section name="Apache Commons Compress Security Vulnerabilities">
+ <p>This page lists all security vulnerabilities fixed in
+ released versions of Apache Commons Compress. Each
+ vulnerability is given a security impact rating by the
+ development team - please note that this rating may vary from
+ platform to platform. We also list the versions of Commons
+ Compress the flaw is known to affect, and where a flaw has not
+ been verified list the version with a question mark.</p>
+
+ <p>Please note that binary patches are never provided. If you
+ need to apply a source code patch, use the building
+ instructions for the Commons Compress version that you are
+ using.</p>
+
+ <p>If you need help on building Commons Compress or other help
+ on following the instructions to mitigate the known
+ vulnerabilities listed here, please send your questions to the
+ public <a href="mail-lists.html">Compress Users mailing
+ list</a>.</p>
+
+ <p>If you have encountered an unlisted security vulnerability
+ or other unexpected behaviour that has security impact, or if
+ the descriptions here are incomplete, please report them
+ privately to the Apache Security Team. Thank you.</p>
+
+ <subsection name="Fixed in Apache Commons Compress 1.4.1">
+ <p><b>Low: Denial of Service</b> <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></p>
+
+ <p>The bzip2 compressing streams in Apache Commons Compress
+ internally use sorting algorithms with unacceptable
+ worst-case performance on very repetitive inputs. A
+ specially crafted input to Compress'
+ <code>BZip2CompressorOutputStream</code> can be used to make
+ the process spend a very long time while using up all
+ available processing time effectively leading to a denial of
+ service.</p>
+
+ <p>This was fixed in revisions
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1332540">1332540</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1332552">1332552</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1333522">1333522</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1337444">1337444</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340715">1340715</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340723">1340723</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340757">1340757</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340786">1340786</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340787">1340787</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340790">1340790</a>,
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340795">1340795</a> and
+ <a href="http://svn.apache.org/viewvc?view=revision&revision=1340799">1340799</a>.</p>
+
+ <p>This was first reported to the Security Team on 12 April
+ 2012 and made public on 23 May 2012.</p>
+
+ <p>Affects: 1.0 - 1.4</p>
+
+ </subsection>
+ </section>
+
+ <section name="Errors and Ommissions">
+ <p>Please report any errors or omissions to <a
+ href="mail-lists.html">the dev mailing list</a>.</p>
+ </section>
+ </body>
+</document>