commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From e...@apache.org
Subject svn commit: r1750857 - in /commons/proper/fileupload/trunk/src: changes/changes.xml site/site.xml site/xdoc/security-reports.xml
Date Thu, 30 Jun 2016 19:49:46 GMT
Author: ecki
Date: Thu Jun 30 19:49:46 2016
New Revision: 1750857

URL: http://svn.apache.org/viewvc?rev=1750857&view=rev
Log:
Site: add security report

Added:
    commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
Modified:
    commons/proper/fileupload/trunk/src/changes/changes.xml
    commons/proper/fileupload/trunk/src/site/site.xml

Modified: commons/proper/fileupload/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/changes/changes.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/changes/changes.xml (original)
+++ commons/proper/fileupload/trunk/src/changes/changes.xml Thu Jun 30 19:49:46 2016
@@ -39,7 +39,7 @@ The <action> type attribute can be add,u
 
   <properties>
     <title>Release Notes</title>
-    <author email="martinc@apache.org">Martin Cooper</author>
+    <author email="dev@commons.apache.org">Apache Commons Developers</author>
   </properties>
 
   <body>
@@ -57,6 +57,7 @@ The <action> type attribute can be add,u
       <action issue="FILEUPLOAD-246" dev="sebb" type="update">FileUpload should use
IOUtils.closeQuietly where relevant</action>
       <action issue="FILEUPLOAD-245" dev="sebb" type="fix">DiskFileItem.get() may not
fully read the data</action>
       <action issue="FILEUPLOAD-243" dev="sebb" type="update" due-to="Ville Skyttä">Make
some MultipartStream private fields final</action>
+      <action                        dev="ecki" type="add">Site: added security report</action>
     </release>
 
     <release version="1.3.2" description="Bugfix release for 1.3.1" date="2016-05-26">

Modified: commons/proper/fileupload/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/site.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/site/site.xml (original)
+++ commons/proper/fileupload/trunk/src/site/site.xml Thu Jun 30 19:49:46 2016
@@ -32,6 +32,7 @@
       <item name="FAQ"                      href="/faq.html" />
       <item name="Javadoc"                  href="apidocs/index.html" />
       <item name="Download"                 href="/download_fileupload.cgi" />
+      <item name="Security Reports"         href="/security-reports.html"/>
       <item name="Mailing lists"            href="/mail-lists.html" />
       <item name="Issue Tracking"           href="/issue-tracking.html" />
       <item name="Team"                     href="/team-list.html" />

Added: commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml?rev=1750857&view=auto
==============================================================================
--- commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml Thu Jun 30 19:49:46
2016
@@ -0,0 +1,106 @@
+<?xml version="1.0"?>
+<!--
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Commons Fileupload Security Reports</title>
+        <author email="dev@commons.apache.org">Commons Documentation Team</author>
+    </properties>
+    <body>
+      <section name="Apache Commons Fileupload Security Vulnerabilities">
+        <p>This page lists all security vulnerabilities fixed in
+        released versions of Apache Commons Fileupload. Each
+        vulnerability is given a security impact rating by the
+        development team - please note that this rating may vary from
+        platform to platform. We also list the versions of Commons
+        Fileupload the flaw is known to affect, and where a flaw has not
+        been verified list the version with a question mark.</p>
+
+        <p>Please note that binary patches are never provided. If you
+        need to apply a source code patch, use the building
+        instructions for the Commons Fileupload version that you are
+        using.</p>
+
+        <p>If you need help on building Commons Fileupload or other help
+        on following the instructions to mitigate the known
+        vulnerabilities listed here, please send your questions to the
+        public <a href="mail-lists.html">Commons Users mailing
+        list</a>.</p>
+
+        <p>If you have encountered an unlisted security vulnerability
+        or other unexpected behaviour that has security impact, or if
+        the descriptions here are incomplete, please report them
+        privately to the Apache Security Team. Thank you.</p>
+
+        <p>For information about reporting or asking questions about
+        security problems, please see the <a
+        href="http://commons.apache.org/security.html">security page
+        of the Apache Commons project</a>.</p>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3.2">
+          <p><b>Low: Denial of Service</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092">CVE-2016-3092</a></p>
+ 
+          <p>Specially crafted input can trigger a DoS (slow uploads), if the size
of the MIME
+          boundary is close to the size of the buffer in MultipartStream. This is also fixed
+          for <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1743480">1743480</a>.</p>
+
+          <p>Affects: 1.0? - 1.3.1</p>
+        </subsection>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3.1">
+          <p><b>Low: Denial of Service</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0050">CVE-2014-0050</a></p>
+
+          <p>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used
in
+          <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>,
+          JBoss Web, and other products, allows remote attackers to cause a denial of service
(infinite
+          loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's
intended
+          exit conditions.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1565143">1565143</a>.</p>
+
+          <p>Affects: 1.0? - 1.3</p>
+        </subsection>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3">
+
+          <p><b>Low: Improved Documentation for Multitenancy</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0248">CVE-2013-0248</a></p>
+
+          <p>Update the Javadoc and documentation to make it clear that setting a repository
+          is required for a secure configuration if there are local, untrusted users.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1453273">1453273</a>.</p>
+
+          <p>Affects: 1.0 - 1.2.2</p>
+        </subsection>
+
+		</section>
+
+      <section name="Errors and Ommissions">
+        <p>Please report any errors or omissions to <a
+        href="mail-lists.html">the dev mailing list</a>.</p>
+      </section>
+    </body>
+</document>



Mime
View raw message