[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2

Fri, 02 Dec 2016 09:17:19 -0800 

     [ 
https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Anshum Gupta updated SOLR-9819:
-------------------------------
    Description: 
We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 :

"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used 
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 
9.x before 9.0.0.M7 and other products, allows remote attackers to cause a 
denial of service (CPU consumption) via a long boundary string."

[Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]

We should upgrade to 1.3.2.

  was:
The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:

"MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in 
Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause 
a denial of service (infinite loop and CPU consumption) via a crafted 
Content-Type header that bypasses a loop's intended exit conditions."

[Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


> Upgrade fileupload-commons to 1.3.2
> -----------------------------------
>
>                 Key: SOLR-9819
>                 URL: https://issues.apache.org/jira/browse/SOLR-9819
>             Project: Solr
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 4.6, 5.5, 6.0
>            Reporter: Jeff Field
>            Assignee: Jan Høydahl
>              Labels: commons-file-upload
>
> We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 :
> "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used 
> in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, 
> and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause 
> a denial of service (CPU consumption) via a long boundary string."
> [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]
> We should upgrade to 1.3.2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to