type: security subject: Updated plexus-archiver package fixes security vulnerability: CVE: - CVE-2012-2098 src: 3: core: - plexus-archiver-2.3-1.1.mga3 description: | Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs (CVE-2012-2098). plexus-archiver used an embedded copy of the affected code from Apache Commons Compress, and therefore was affected by this. It has been patched to use the apache-commons-compress package, in which this issue has already been fixed, for bzip2 compression and decompression. references: - https://bugs.mageia.org/show_bug.cgi?id=6331 - https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html - https://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html ID: MGASA-2014-0056