You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Bernd <ec...@zusammenkunft.net> on 2016/06/28 11:38:21 UTC
[Fileupload] CVE security page and site distribution
Hello,
I was trying to come up with a Victims-cve-db entry for CVE-2016-3092 and I
noticed a few odd things (https://github.com/victims/victims-cve-db/pull/47
):
a) the original mail from Jochen did contain a link to a security page but
Commons FileUpload does not have one:
http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E
-> https://commons.apache.org/proper/commons-fileupload/security.html
b) the change for the release notes is only in trunk, not published
to the site or the archives. This makes it hard to link to a
definitive source.
Gruss
Bernd
Re: [Fileupload] CVE security page and site distribution
Posted by Jochen Wiedmann <jo...@gmail.com>.
On Fri, Jul 1, 2016 at 8:00 AM, Benedikt Ritter <br...@apache.org> wrote:
> Bernd Eckenfels <ec...@zusammenkunft.net> schrieb am Do., 30. Juni 2016 um
21:52 Uhr:
>> Please somebody have a look and publish the site (I dont trust my
>> tooling with this). After the push it needs to be linked from the
>> commons-security page as well.
Nice. You even picked up one that I wasn't aware of. Well done, Bernd!
Jochen
--
The next time you hear: "Don't reinvent the wheel!"
http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Fileupload] CVE security page and site distribution
Posted by Benedikt Ritter <br...@apache.org>.
Bernd Eckenfels <ec...@zusammenkunft.net> schrieb am Do., 30. Juni 2016 um
21:52 Uhr:
> Hello,
>
> I pushed a security report for commons fileupload (incl. the 3 CVEs I
> could find).
>
> http://svn.apache.org/viewvc?rev=1750857&view=rev
>
> Please somebody have a look and publish the site (I dont trust my
> tooling with this). After the push it needs to be linked from the
> commons-security page as well.
>
done.
>
> Gruss
> Bernd
>
>
> Am Thu, 30 Jun 2016 10:46:12 +0000
> schrieb Benedikt Ritter <br...@apache.org>:
>
> > We still need to create a security site. Commons Compress can be used
> > as an example for this. I don't have time to do it right now.
> >
> > Benedikt
> >
> > Benedikt Ritter <br...@apache.org> schrieb am Do., 30. Juni 2016 um
> > 12:41 Uhr:
> >
> > > Hello Bernd,
> > >
> > > I've fixed this in revision 14202 in the dist area. Does this work
> > > for you?
> > >
> > > Benedikt
> > >
> > > Bernd <ec...@zusammenkunft.net> schrieb am Di., 28. Juni 2016 um
> > > 13:38 Uhr:
> > >
> > >> Hello,
> > >>
> > >> I was trying to come up with a Victims-cve-db entry for
> > >> CVE-2016-3092 and I
> > >> noticed a few odd things (
> > >> https://github.com/victims/victims-cve-db/pull/47
> > >> ):
> > >>
> > >> a) the original mail from Jochen did contain a link to a security
> > >> page but Commons FileUpload does not have one:
> > >>
> > >>
> > >>
> http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E
> > >>
> > >> ->
> > >> https://commons.apache.org/proper/commons-fileupload/security.html
> > >>
> > >> b) the change for the release notes is only in trunk, not published
> > >> to the site or the archives. This makes it hard to link to a
> > >> definitive source.
> > >>
> > >> Gruss
> > >> Bernd
> > >>
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
Re: [Fileupload] CVE security page and site distribution
Posted by Bernd Eckenfels <ec...@zusammenkunft.net>.
Hello,
I pushed a security report for commons fileupload (incl. the 3 CVEs I
could find).
http://svn.apache.org/viewvc?rev=1750857&view=rev
Please somebody have a look and publish the site (I dont trust my
tooling with this). After the push it needs to be linked from the
commons-security page as well.
Gruss
Bernd
Am Thu, 30 Jun 2016 10:46:12 +0000
schrieb Benedikt Ritter <br...@apache.org>:
> We still need to create a security site. Commons Compress can be used
> as an example for this. I don't have time to do it right now.
>
> Benedikt
>
> Benedikt Ritter <br...@apache.org> schrieb am Do., 30. Juni 2016 um
> 12:41 Uhr:
>
> > Hello Bernd,
> >
> > I've fixed this in revision 14202 in the dist area. Does this work
> > for you?
> >
> > Benedikt
> >
> > Bernd <ec...@zusammenkunft.net> schrieb am Di., 28. Juni 2016 um
> > 13:38 Uhr:
> >
> >> Hello,
> >>
> >> I was trying to come up with a Victims-cve-db entry for
> >> CVE-2016-3092 and I
> >> noticed a few odd things (
> >> https://github.com/victims/victims-cve-db/pull/47
> >> ):
> >>
> >> a) the original mail from Jochen did contain a link to a security
> >> page but Commons FileUpload does not have one:
> >>
> >>
> >> http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E
> >>
> >> ->
> >> https://commons.apache.org/proper/commons-fileupload/security.html
> >>
> >> b) the change for the release notes is only in trunk, not published
> >> to the site or the archives. This makes it hard to link to a
> >> definitive source.
> >>
> >> Gruss
> >> Bernd
> >>
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: [Fileupload] CVE security page and site distribution
Posted by Benedikt Ritter <br...@apache.org>.
We still need to create a security site. Commons Compress can be used as an
example for this. I don't have time to do it right now.
Benedikt
Benedikt Ritter <br...@apache.org> schrieb am Do., 30. Juni 2016 um
12:41 Uhr:
> Hello Bernd,
>
> I've fixed this in revision 14202 in the dist area. Does this work for you?
>
> Benedikt
>
> Bernd <ec...@zusammenkunft.net> schrieb am Di., 28. Juni 2016 um 13:38 Uhr:
>
>> Hello,
>>
>> I was trying to come up with a Victims-cve-db entry for CVE-2016-3092 and
>> I
>> noticed a few odd things (
>> https://github.com/victims/victims-cve-db/pull/47
>> ):
>>
>> a) the original mail from Jochen did contain a link to a security page but
>> Commons FileUpload does not have one:
>>
>>
>> http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E
>>
>> -> https://commons.apache.org/proper/commons-fileupload/security.html
>>
>> b) the change for the release notes is only in trunk, not published
>> to the site or the archives. This makes it hard to link to a
>> definitive source.
>>
>> Gruss
>> Bernd
>>
>
Re: [Fileupload] CVE security page and site distribution
Posted by Benedikt Ritter <br...@apache.org>.
Hello Bernd,
I've fixed this in revision 14202 in the dist area. Does this work for you?
Benedikt
Bernd <ec...@zusammenkunft.net> schrieb am Di., 28. Juni 2016 um 13:38 Uhr:
> Hello,
>
> I was trying to come up with a Victims-cve-db entry for CVE-2016-3092 and I
> noticed a few odd things (
> https://github.com/victims/victims-cve-db/pull/47
> ):
>
> a) the original mail from Jochen did contain a link to a security page but
> Commons FileUpload does not have one:
>
>
> http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E
>
> -> https://commons.apache.org/proper/commons-fileupload/security.html
>
> b) the change for the release notes is only in trunk, not published
> to the site or the archives. This makes it hard to link to a
> definitive source.
>
> Gruss
> Bernd
>