lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anshum Gupta (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SOLR-9819) Upgrade fileupload-commons to 1.3.2
Date Fri, 02 Dec 2016 17:16:58 GMT

     [ https://issues.apache.org/jira/browse/SOLR-9819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Anshum Gupta updated SOLR-9819:
-------------------------------
    Description: 
We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 :

"The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat
7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other
products, allows remote attackers to cause a denial of service (CPU consumption) via a long
boundary string."

[Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]

We should upgrade to 1.3.2.

  was:
The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:

"MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat,
JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite
loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended
exit conditions."

[Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


> Upgrade fileupload-commons to 1.3.2
> -----------------------------------
>
>                 Key: SOLR-9819
>                 URL: https://issues.apache.org/jira/browse/SOLR-9819
>             Project: Solr
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 4.6, 5.5, 6.0
>            Reporter: Jeff Field
>            Assignee: Jan H√łydahl
>              Labels: commons-file-upload
>
> We use Apache fileupload-commons 1.3.1. According to CVE-2016-3092 :
> "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache
Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and
other products, allows remote attackers to cause a denial of service (CPU consumption) via
a long boundary string."
> [Source|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092]
> We should upgrade to 1.3.2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message