lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAwi-j9baTi8PQ2FfHMdXVBn=5M8B=O-UtrbmC7rVV+3pVLPNg@mail.gmail.com> Date: Thu, 10 May 2012 17:47:32 +0400 From: Yegor Kozlov <yegor.kozlov@...om.ru> To: full-disclosure@...ts.grok.org.uk Subject: Re: [SECURITY] [DSA 2468-1] libjakarta-poi-java security update Hi, An explanation of this bug was sent to security@...che.org on 1st March, but unfortuntaly it wasn't cc'd to the original reporter (Florian Weimer). Please find the answer below. The POI team believes that it is a regular bug rather than a security issue. The problem happens when parsing a binary MS Word document and support for MS Word has been greatly improved since the version 3.7. The recommended solutions are (in the order of preference): -Try our latest release POI-3.8. There is a good chance the problem is already fixed. - If the problem is still there, please create a new Bugzilla entry and supply more information: the stack trace, the problematic file that triggers OutOfMemoryError and any other details that may help us to fix it. The Apache Bugzilla tracker is avaiable at https://issues.apache.org/bugzilla/ Regards, Yegor Kozlov > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2468-1 security at debian.org > http://www.debian.org/security/ Florian Weimer > May 09, 2012 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : libjakarta-poi-java > Vulnerability : unbounded memory allocation > Problem type : local > Debian-specific: no > CVE ID : CVE-2012-0213 > > It was discovered that Apache POI, a Java implementation of the > Microsoft Office file formats, would allocate arbitrary amounts of > memory when processing crafted documents. This could impact the > stability of the Java virtual machine. > > For the stable distribution (squeeze), this problem has been fixed in > version 3.6+dfsg-1+squeeze1. > > We recommend that you upgrade your libjakarta-poi-java packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: debian-security-announce at lists.debian.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJPqs4eAAoJEL97/wQC1SS+vW4H/javD0EcF4EUw9KN9zJb8gJG > sBtULjsxoMsKOog5L2HNxKuqnU8dBVnJlO+OleAaaThhS6hg/dytsGjZ0Zclro9W > Oe7N3INrTgjNZ1t1+rUUP7p03STjVwClcLXzhuxU5jzCIqJ8kxHfHtZUbwo7O9dQ > eUkTGtPQIvRlYv9mQtbb4v526EMiSLKQzWF49rguxHQVnePlZ4cTPCg3/je0NdV8 > L+E1iThzqQo1MHFX3jFa4sYU2xz4f/d6R6cxul9ElDRLNqnWLe3dmxgaYbNfpD3y > +To3gPtYiW2yaFis58iqTOTN8w+yK+ImjR7Vb6RmQVKripx7eWvKAnprO7THpMA= > =7m5/ > -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists