[
https://issues.apache.org/jira/browse/FILEUPLOAD-357?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904106#comment-17904106
]
Didier Loiseau commented on FILEUPLOAD-357:
-------------------------------------------
I noticed that [you had actually already performed the
upgrade|https://github.com/apache/commons-fileupload/commit/4699a8bd4ff88e2b727b7363e520e65446c62b2a]
on the 1.x branch, but you are also actively working on other things on the
latter.
Is there some kind of planning for the 1.6.0 release?
I tried to check the mailing lists, but most recent messages containing
“fileupload” seem to be automatic mails from Dependabot/GitHub/Jira.
(I really don’t want to put any pressure, it’s just to get some info)
> Backport commons-io upgrade in 1.x for CVE-2024-47554
> -----------------------------------------------------
>
> Key: FILEUPLOAD-357
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-357
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.5
> Reporter: Didier Loiseau
> Priority: Major
>
> Would it be possible to release a new version of commons-fileupload 1.x that
> depends on the fixed commons-io (2.14+) for
> [CVE-2024-47554|https://nvd.nist.gov/vuln/detail/CVE-2024-47554]?
> Note that there does not seem to be a “patch” release of commons-io with the
> fix, only minor releases. Maybe commons-io should publish a patch for release
> 2.11, in order to publish a commons-fileupload 2.15.1 with the fix?
> p.s. it seems version 1.5 hasn’t been marked as released in Jira
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
