[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
[ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anshum Gupta updated SOLR-9819: --- Affects Version/s: 6.1 6.2 6.3 > Upgrade fileupload-commons to 1.3.2 > --- > > Key: SOLR-9819 > URL: https://issues.apache.org/jira/browse/SOLR-9819 > Project: Solr > Issue Type: Improvement > Components: security >Affects Versions: 4.6, 5.5, 6.0, 6.1, 6.2, 6.3 >Reporter: Anshum Gupta >Assignee: Anshum Gupta > Labels: commons-file-upload > Attachments: SOLR-9819.patch > > > We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 : > "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used > in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, > and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause > a denial of service (CPU consumption) via a long boundary string." > [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092] > We should upgrade to 1.3.2. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
[ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anshum Gupta updated SOLR-9819: --- Attachment: SOLR-9819.patch The tests pass, so seems like we're good to go. > Upgrade fileupload-commons to 1.3.2 > --- > > Key: SOLR-9819 > URL: https://issues.apache.org/jira/browse/SOLR-9819 > Project: Solr > Issue Type: Improvement > Components: security >Affects Versions: 4.6, 5.5, 6.0 >Reporter: Anshum Gupta >Assignee: Anshum Gupta > Labels: commons-file-upload > Attachments: SOLR-9819.patch > > > We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 : > "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used > in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, > and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause > a denial of service (CPU consumption) via a long boundary string." > [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092] > We should upgrade to 1.3.2. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
[ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anshum Gupta updated SOLR-9819: --- Reporter: Anshum Gupta (was: Jeff Field) > Upgrade fileupload-commons to 1.3.2 > --- > > Key: SOLR-9819 > URL: https://issues.apache.org/jira/browse/SOLR-9819 > Project: Solr > Issue Type: Improvement > Components: security >Affects Versions: 4.6, 5.5, 6.0 >Reporter: Anshum Gupta >Assignee: Anshum Gupta > Labels: commons-file-upload > > We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 : > "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used > in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, > and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause > a denial of service (CPU consumption) via a long boundary string." > [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092] > We should upgrade to 1.3.2. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
[ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anshum Gupta updated SOLR-9819: --- Description: We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 : "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string." [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092] We should upgrade to 1.3.2. was: The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050: "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions." [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050] > Upgrade fileupload-commons to 1.3.2 > --- > > Key: SOLR-9819 > URL: https://issues.apache.org/jira/browse/SOLR-9819 > Project: Solr > Issue Type: Improvement > Components: security >Affects Versions: 4.6, 5.5, 6.0 >Reporter: Jeff Field >Assignee: Jan Høydahl > Labels: commons-file-upload > > We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 : > "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used > in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, > and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause > a denial of service (CPU consumption) via a long boundary string." > [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092] > We should upgrade to 1.3.2. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
[ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anshum Gupta updated SOLR-9819: --- Fix Version/s: (was: 5.5.2) (was: 6.0.1) (was: 5.6) (was: 6.1) > Upgrade fileupload-commons to 1.3.2 > --- > > Key: SOLR-9819 > URL: https://issues.apache.org/jira/browse/SOLR-9819 > Project: Solr > Issue Type: Improvement > Components: security >Affects Versions: 4.6, 5.5, 6.0 >Reporter: Jeff Field >Assignee: Jan Høydahl > Labels: commons-file-upload > > The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050: > "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in > Apache Tomcat, JBoss Web, and other products, allows remote attackers to > cause a denial of service (infinite loop and CPU consumption) via a crafted > Content-Type header that bypasses a loop's intended exit conditions." > [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050] -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
