[
https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anshum Gupta updated SOLR-9819:
-------------------------------
Description:
We use Apache commons-fileupload 1.3.1. According to CVE-2016-3092 :
"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and
9.x before 9.0.0.M7 and other products, allows remote attackers to cause a
denial of service (CPU consumption) via a long boundary string."
[Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]
We should upgrade to 1.3.2.
was:
We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 :
"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and
9.x before 9.0.0.M7 and other products, allows remote attackers to cause a
denial of service (CPU consumption) via a long boundary string."
[Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]
We should upgrade to 1.3.2.
> Upgrade commons-fileupload to 1.3.2
> -----------------------------------
>
> Key: SOLR-9819
> URL: https://issues.apache.org/jira/browse/SOLR-9819
> Project: Solr
> Issue Type: Improvement
> Components: security
> Affects Versions: 4.6, 5.5, 6.0, 6.1, 6.2, 6.3
> Reporter: Anshum Gupta
> Assignee: Anshum Gupta
> Labels: commons-file-upload
> Attachments: SOLR-9819.patch
>
>
> We use Apache commons-fileupload 1.3.1. According to CVE-2016-3092 :
> "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
> in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
> and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
> a denial of service (CPU consumption) via a long boundary string."
> [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]
> We should upgrade to 1.3.2.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
