Thanks Jose for doing a review. In most cases the commons-upload is used for integration testing (at least for script-console and log). And in other cases the dependency is set to provided scope. So the older version is not used at runtime and hence should not be an issue
The important place to look for is launchpad/builder/src/main/bundles/list.xml [1]. As bundles mentioned there get packaged in final Sling distribution and hence actually get used at runtime. And there the version is 1.3.1 which has the required security fix Chetan Mehrotra [1] https://github.com/apache/sling/blob/trunk/launchpad/builder/src/main/bundles/list.xml On Wed, Apr 2, 2014 at 8:52 PM, Jose Insua Fernandez <[email protected]> wrote: > Hello everyone, > > I've been checking the usage of the commons-fileupload component because > versions previous to 1.3.1 have a security issue (CVE-2014-0050) > > I see it referenced in the following pom.xml files: > > /sling/tooling/support/install/pom.xml has version number 1.2.2 > /sling/contrib/scripting/script-console/pom.xml has version number 1.1.1 > /sling/contrib/extensions/obr/pom.xml has version number 1.1.1 > /sling/bundles/commons/log/pom.xml has version number 1.2.1 > /sling/bundles/engine/pom.xml has version number 1.3 > > > The usage doesn't seem dangerous, but it would be nice to upgrade the > versions to 1.3.1 to be sure. > > Best regards. > Jose Antonio Insua
