You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/03/03 05:13:21 UTC
[jira] [Commented] (TAP5-2295) Exploit found in commons-file-upload
< 1.3.1
[ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13917729#comment-13917729 ]
ASF subversion and git services commented on TAP5-2295:
-------------------------------------------------------
Commit 9dfe22e08556da76d7a35a79d599f4b9a527c4e1 in tapestry-5's branch refs/heads/master from [~bobharner]
[ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=9dfe22e ]
Fixed TAP5-2295 (denial of service vulnerability due to
commons-file-upload) by upgrading commons-file-upload from 1.2.2 to
1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2.
> Exploit found in commons-file-upload < 1.3.1
> --------------------------------------------
>
> Key: TAP5-2295
> URL: https://issues.apache.org/jira/browse/TAP5-2295
> Project: Tapestry 5
> Issue Type: Dependency upgrade
> Components: tapestry-upload
> Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0
> Reporter: jose luis sanchez
> Assignee: Bob Harner
> Labels: bug, commons-file-upload, security, tapestry-upload
>
> Just found that commons-file-upload < 1.3.1 has a bug that can create a DOS attack .
> For more information, see
> http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
> I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older.
> So recommended option is to update dependency to commons-file-upload-1.3.1.jar
--
This message was sent by Atlassian JIRA
(v6.2#6252)