Return-Path: 
 <commits-return-20631-apmail-tapestry-commits-archive=tapestry.apache.org@tapestry.apache.org>
X-Original-To: apmail-tapestry-commits-archive@minotaur.apache.org
Delivered-To: apmail-tapestry-commits-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5BAD71038C
	for <apmail-tapestry-commits-archive@minotaur.apache.org>;
 Mon,  3 Mar 2014 16:13:24 +0000 (UTC)
Received: (qmail 92738 invoked by uid 500); 3 Mar 2014 16:13:21 -0000
Delivered-To: apmail-tapestry-commits-archive@tapestry.apache.org
Received: (qmail 92682 invoked by uid 500); 3 Mar 2014 16:13:21 -0000
Mailing-List: contact commits-help@tapestry.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@tapestry.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@tapestry.apache.org>
List-Post: <mailto:commits@tapestry.apache.org>
List-Id: <commits.tapestry.apache.org>
Reply-To: dev@tapestry.apache.org
Delivered-To: mailing list commits@tapestry.apache.org
Received: (qmail 92673 invoked by uid 99); 3 Mar 2014 16:13:21 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Mar 2014 16:13:21 +0000
Date: Mon, 3 Mar 2014 16:13:21 +0000 (UTC)
From: "Bob Harner (JIRA)" <jira@apache.org>
To: commits@tapestry.apache.org
Message-ID: <JIRA.12697887.1393578974295.3409.1393863201084@arcas>
In-Reply-To: <JIRA.12697887.1393578974295@arcas>
References: <JIRA.12697887.1393578974295@arcas>
Subject: [jira] [Updated] (TAP5-2295) Vulnerability in Tapestry-upload
 module due to commons-file-upload
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bob Harner updated TAP5-2295:
-----------------------------

    Summary: Vulnerability in Tapestry-upload module due to commons-file-upload  (was: Vulnerability found in commons-file-upload < 1.3.1)

> Vulnerability in Tapestry-upload module due to commons-file-upload
> ------------------------------------------------------------------
>
>                 Key: TAP5-2295
>                 URL: https://issues.apache.org/jira/browse/TAP5-2295
>             Project: Tapestry 5
>          Issue Type: Dependency upgrade
>          Components: tapestry-upload
>    Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0
>            Reporter: jose luis sanchez
>            Assignee: Bob Harner
>              Labels: bug, commons-file-upload, security, tapestry-upload
>             Fix For: 5.4, 5.3.8
>
>
> Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .
> For more information, see 
> http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
> I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.
> So recommended option is to update dependency to commons-file-upload-1.3.1.jar



--
This message was sent by Atlassian JIRA
(v6.2#6252)