Bug#681996: pu: package libcommons-compress-java/1.0-1
tags 681996 + squeeze
On Wed, 2012-07-18 at 10:59 -0430, Miguel Landaeta wrote:
> CVE-2012-2098 / #674448 is not fixed yet in stable, so I would like
> to update libcommons-compress-java/1.0-1.
> The security team already confirmed this doesn't warrant a DSA, so
> this should be fixed through a point update.
> A debdiff with the backported patch to fix the issue is attached.
+libcommons-compress-java (1.0-1+squeeze1) stable; urgency=low
+ * Team upload.
+ * Fix an algorithmic complexity vulnerability in the sorting algorithms
+ in bzip2 compressing stream. CVE-2012-2098. (Closes: #674448).
+ * Update source format to 3.0 (quilt).
That last change generally isn't okay for stable updates, I'm afraid.
Hmmm, that's quite a large diff. :-(
main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorOutputStream.java | 638 -----
main/java/org/apache/commons/compress/compressors/bzip2/BlockSort.java | 1081 ++++++++++
test/java/org/apache/commons/compress/compressors/bzip2/BlockSortTest.java | 171 +