Source: commons-configuration Version: 1.10-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for commons-configuration. CVE-2025-46392[0]: | Uncontrolled Resource Consumption vulnerability in Apache Commons | Configuration 1.x. There are a number of issues in Apache Commons | Configuration 1.x that allow excessive resource consumption when | loading untrusted configurations or using unexpected usage patterns. | The Apache Commons Configuration team does not intend to fix these | issues in 1.x. Apache Commons Configuration 1.x is still safe to use | in scenario's where you only load trusted configurations. Users | that load untrusted configurations or give attackers control over | usage patterns are recommended to upgrade to the 2.x version line, | which fixes these issues. Apache Commons Configuration 2.x is not a | drop-in replacement, but as it uses a separate Maven groupId and | Java package namespace they can be loaded side-by-side, making it | possible to do a gradual migration. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46392 https://www.cve.org/CVERecord?id=CVE-2025-46392 [1] https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s Regards, Salvatore
