Return-Path: <commits-return-52168-archive-asf-public=cust-asf.ponee.io@commons.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 16983200B29
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 30 Jun 2016 21:49:54 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 15356160A52; Thu, 30 Jun 2016 19:49:54 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 358AA160A06
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 30 Jun 2016 21:49:53 +0200 (CEST)
Received: (qmail 64126 invoked by uid 500); 30 Jun 2016 19:49:52 -0000
Mailing-List: contact commits-help@commons.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@commons.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@commons.apache.org>
List-Post: <mailto:commits@commons.apache.org>
List-Id: <commits.commons.apache.org>
Reply-To: dev@commons.apache.org
Delivered-To: mailing list commits@commons.apache.org
Received: (qmail 64117 invoked by uid 99); 30 Jun 2016 19:49:52 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jun 2016 19:49:52 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id DB39BC0591
	for <commits@commons.apache.org>; Thu, 30 Jun 2016 19:49:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.374
X-Spam-Level: 
X-Spam-Status: No, score=0.374 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RP_MATCHES_RCVD=-1.426] autolearn=disabled
Received: from mx2-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id hgsuxWtjZ35x for <commits@commons.apache.org>;
	Thu, 30 Jun 2016 19:49:49 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTP id 9CC645FB19
	for <commits@commons.apache.org>; Thu, 30 Jun 2016 19:49:49 +0000 (UTC)
Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 8D6AEE0098
	for <commits@commons.apache.org>; Thu, 30 Jun 2016 19:49:48 +0000 (UTC)
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 486F53A019C
	for <commits@commons.apache.org>; Thu, 30 Jun 2016 19:49:47 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: svn commit: r1750857 - in /commons/proper/fileupload/trunk/src:
 changes/changes.xml site/site.xml site/xdoc/security-reports.xml
Date: Thu, 30 Jun 2016 19:49:46 -0000
To: commits@commons.apache.org
From: ecki@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20160630194947.486F53A019C@svn01-us-west.apache.org>
archived-at: Thu, 30 Jun 2016 19:49:54 -0000

Author: ecki
Date: Thu Jun 30 19:49:46 2016
New Revision: 1750857

URL: http://svn.apache.org/viewvc?rev=1750857&view=rev
Log:
Site: add security report

Added:
    commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
Modified:
    commons/proper/fileupload/trunk/src/changes/changes.xml
    commons/proper/fileupload/trunk/src/site/site.xml

Modified: commons/proper/fileupload/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/changes/changes.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/changes/changes.xml (original)
+++ commons/proper/fileupload/trunk/src/changes/changes.xml Thu Jun 30 19:49:46 2016
@@ -39,7 +39,7 @@ The <action> type attribute can be add,u
 
   <properties>
     <title>Release Notes</title>
-    <author email="martinc@apache.org">Martin Cooper</author>
+    <author email="dev@commons.apache.org">Apache Commons Developers</author>
   </properties>
 
   <body>
@@ -57,6 +57,7 @@ The <action> type attribute can be add,u
       <action issue="FILEUPLOAD-246" dev="sebb" type="update">FileUpload should use IOUtils.closeQuietly where relevant</action>
       <action issue="FILEUPLOAD-245" dev="sebb" type="fix">DiskFileItem.get() may not fully read the data</action>
       <action issue="FILEUPLOAD-243" dev="sebb" type="update" due-to="Ville Skyttä">Make some MultipartStream private fields final</action>
+      <action                        dev="ecki" type="add">Site: added security report</action>
     </release>
 
     <release version="1.3.2" description="Bugfix release for 1.3.1" date="2016-05-26">

Modified: commons/proper/fileupload/trunk/src/site/site.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/site.xml?rev=1750857&r1=1750856&r2=1750857&view=diff
==============================================================================
--- commons/proper/fileupload/trunk/src/site/site.xml (original)
+++ commons/proper/fileupload/trunk/src/site/site.xml Thu Jun 30 19:49:46 2016
@@ -32,6 +32,7 @@
       <item name="FAQ"                      href="/faq.html" />
       <item name="Javadoc"                  href="apidocs/index.html" />
       <item name="Download"                 href="/download_fileupload.cgi" />
+      <item name="Security Reports"         href="/security-reports.html"/>
       <item name="Mailing lists"            href="/mail-lists.html" />
       <item name="Issue Tracking"           href="/issue-tracking.html" />
       <item name="Team"                     href="/team-list.html" />

Added: commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml
URL: http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml?rev=1750857&view=auto
==============================================================================
--- commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml (added)
+++ commons/proper/fileupload/trunk/src/site/xdoc/security-reports.xml Thu Jun 30 19:49:46 2016
@@ -0,0 +1,106 @@
+<?xml version="1.0"?>
+<!--
+
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<document>
+    <properties>
+        <title>Commons Fileupload Security Reports</title>
+        <author email="dev@commons.apache.org">Commons Documentation Team</author>
+    </properties>
+    <body>
+      <section name="Apache Commons Fileupload Security Vulnerabilities">
+        <p>This page lists all security vulnerabilities fixed in
+        released versions of Apache Commons Fileupload. Each
+        vulnerability is given a security impact rating by the
+        development team - please note that this rating may vary from
+        platform to platform. We also list the versions of Commons
+        Fileupload the flaw is known to affect, and where a flaw has not
+        been verified list the version with a question mark.</p>
+
+        <p>Please note that binary patches are never provided. If you
+        need to apply a source code patch, use the building
+        instructions for the Commons Fileupload version that you are
+        using.</p>
+
+        <p>If you need help on building Commons Fileupload or other help
+        on following the instructions to mitigate the known
+        vulnerabilities listed here, please send your questions to the
+        public <a href="mail-lists.html">Commons Users mailing
+        list</a>.</p>
+
+        <p>If you have encountered an unlisted security vulnerability
+        or other unexpected behaviour that has security impact, or if
+        the descriptions here are incomplete, please report them
+        privately to the Apache Security Team. Thank you.</p>
+
+        <p>For information about reporting or asking questions about
+        security problems, please see the <a
+        href="http://commons.apache.org/security.html">security page
+        of the Apache Commons project</a>.</p>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3.2">
+          <p><b>Low: Denial of Service</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092">CVE-2016-3092</a></p>
+ 
+          <p>Specially crafted input can trigger a DoS (slow uploads), if the size of the MIME
+          boundary is close to the size of the buffer in MultipartStream. This is also fixed
+          for <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1743480">1743480</a>.</p>
+
+          <p>Affects: 1.0? - 1.3.1</p>
+        </subsection>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3.1">
+          <p><b>Low: Denial of Service</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0050">CVE-2014-0050</a></p>
+
+          <p>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
+          <a href="https://tomcat.apache.org/security.html">Apache Tomcat</a>,
+          JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite
+          loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended
+          exit conditions.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1565143">1565143</a>.</p>
+
+          <p>Affects: 1.0? - 1.3</p>
+        </subsection>
+
+        <subsection name="Fixed in Apache Commons Fileupload 1.3">
+
+          <p><b>Low: Improved Documentation for Multitenancy</b> <a
+          href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0248">CVE-2013-0248</a></p>
+
+          <p>Update the Javadoc and documentation to make it clear that setting a repository
+          is required for a secure configuration if there are local, untrusted users.</p>
+
+          <p>This was fixed in revisions
+          <a href="http://svn.apache.org/viewvc?view=revision&amp;revision=1453273">1453273</a>.</p>
+
+          <p>Affects: 1.0 - 1.2.2</p>
+        </subsection>
+
+		</section>
+
+      <section name="Errors and Ommissions">
+        <p>Please report any errors or omissions to <a
+        href="mail-lists.html">the dev mailing list</a>.</p>
+      </section>
+    </body>
+</document>