Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-9053

Upgrade fileupload-commons to 1.3.1

    Details

      Description

      The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:

      "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."

      Source

        Issue Links

          Activity

          Hide
          mdrob Mike Drob added a comment -

          Patch to update the version to 1.3.1

          Show
          mdrob Mike Drob added a comment - Patch to update the version to 1.3.1
          Hide
          mdrob Mike Drob added a comment -

          I get two test failures with this patch, but they are reproducible before applying the patch as well.

          Show
          mdrob Mike Drob added a comment - I get two test failures with this patch, but they are reproducible before applying the patch as well.
          Hide
          thetaphi Uwe Schindler added a comment -

          +1 to fix this!

          Show
          thetaphi Uwe Schindler added a comment - +1 to fix this!
          Hide
          janhoy Jan Høydahl added a comment -
          BUILD SUCCESSFUL
          Total time: 54 minutes 32 seconds
          

          Looks like 5.5.1 is on its way out the door, so this will have to wait for another day... No risk of data leak or loss, so it's not worth a re-spin IMO.

          Show
          janhoy Jan Høydahl added a comment - BUILD SUCCESSFUL Total time: 54 minutes 32 seconds Looks like 5.5.1 is on its way out the door, so this will have to wait for another day... No risk of data leak or loss, so it's not worth a re-spin IMO.
          Hide
          janhoy Jan Høydahl added a comment -

          Fixed for 6.1 and master.
          Remember to backport if there will be another 5.x release.

          Show
          janhoy Jan Høydahl added a comment - Fixed for 6.1 and master. Remember to backport if there will be another 5.x release.
          Hide
          mdrob Mike Drob added a comment -

          Is there a 5.5.x branch that we can still apply this to, for the eventual 5.5.2? Agree that it's not worth a respin.

          Show
          mdrob Mike Drob added a comment - Is there a 5.5.x branch that we can still apply this to, for the eventual 5.5.2? Agree that it's not worth a respin.
          Hide
          markrmiller@gmail.com Mark Miller added a comment -

          Hmm...I wonder why this was not commit tagged.

          Show
          markrmiller@gmail.com Mark Miller added a comment - Hmm...I wonder why this was not commit tagged.
          Hide
          markrmiller@gmail.com Mark Miller added a comment -

          * SOLR-9053: Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability (Jeff Field, janhoy)

          Jan Høydahl, you forgot to give Mike Drob credit in CHANGES for this. Jeff Field filed the issue, but Mike Drob wrote the patch.

          Show
          markrmiller@gmail.com Mark Miller added a comment - * SOLR-9053 : Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability (Jeff Field, janhoy) Jan Høydahl , you forgot to give Mike Drob credit in CHANGES for this. Jeff Field filed the issue, but Mike Drob wrote the patch.
          Hide
          janhoy Jan Høydahl added a comment -

          Sorry, Mike Drob, I intended to credit you but copied the name from issue creator. I'll fix it. Also I kept this fix simple, did not commit your Iterator -> foreach code refactor.

          Mark Miller, I don't think that a single one of my GIT commits have ever been tagged by the tag bot... It does not like me

          Show
          janhoy Jan Høydahl added a comment - Sorry, Mike Drob , I intended to credit you but copied the name from issue creator. I'll fix it. Also I kept this fix simple, did not commit your Iterator -> foreach code refactor. Mark Miller , I don't think that a single one of my GIT commits have ever been tagged by the tag bot... It does not like me
          Hide
          mdrob Mike Drob added a comment -

          Jan Høydahl - I can understand wanting to keep the change minimal. Taking advantage of the generic types newly provided by the API seemed like a natural fit when updating the version, but I can file a new JIRA and submit patch there if you think it's still worthwhile.

          Show
          mdrob Mike Drob added a comment - Jan Høydahl - I can understand wanting to keep the change minimal. Taking advantage of the generic types newly provided by the API seemed like a natural fit when updating the version, but I can file a new JIRA and submit patch there if you think it's still worthwhile.
          Hide
          janhoy Jan Høydahl added a comment -

          Thanks for the explanation of the refactor, I did not realize the change was directly related to the upgrade. I'll include those changes too.

          Show
          janhoy Jan Høydahl added a comment - Thanks for the explanation of the refactor, I did not realize the change was directly related to the upgrade. I'll include those changes too.
          Hide
          janhoy Jan Høydahl added a comment -

          Fixed attribution and code refactor. master: b6f8c65, 6x: b6b6d24

          Show
          janhoy Jan Høydahl added a comment - Fixed attribution and code refactor. master: b6f8c65, 6x: b6b6d24
          Hide
          steve_rowe Steve Rowe added a comment -

          Reopening to backport to 6.0.1.

          Show
          steve_rowe Steve Rowe added a comment - Reopening to backport to 6.0.1.
          Hide
          steve_rowe Steve Rowe added a comment -

          Bulk close issues included in the 6.0.1 release.

          Show
          steve_rowe Steve Rowe added a comment - Bulk close issues included in the 6.0.1 release.
          Hide
          steve_rowe Steve Rowe added a comment -

          Reopening to backport to 5.6 and 5.5.2.

          Show
          steve_rowe Steve Rowe added a comment - Reopening to backport to 5.6 and 5.5.2.
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 931501ce6481080fbdb4c5470f7b532f394e7b96 in lucene-solr's branch refs/heads/branch_5_5 from Jan Høydahl
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=931501c ]

          SOLR-9053: Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability
          (cherry picked from commit 0ebe6b0)

          Show
          jira-bot ASF subversion and git services added a comment - Commit 931501ce6481080fbdb4c5470f7b532f394e7b96 in lucene-solr's branch refs/heads/branch_5_5 from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=931501c ] SOLR-9053 : Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability (cherry picked from commit 0ebe6b0)
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit dacb226a2be822abe7d46a6be7811c6eeb5f5e4c in lucene-solr's branch refs/heads/branch_5_5 from Jan Høydahl
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=dacb226 ]

          SOLR-9053: Fix attribution, apply the code refactor part from mdrob's patch
          (cherry picked from commit b6f8c65)

          Show
          jira-bot ASF subversion and git services added a comment - Commit dacb226a2be822abe7d46a6be7811c6eeb5f5e4c in lucene-solr's branch refs/heads/branch_5_5 from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=dacb226 ] SOLR-9053 : Fix attribution, apply the code refactor part from mdrob's patch (cherry picked from commit b6f8c65)
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit fb5916c329745ea80cff600adab89269c8764f0e in lucene-solr's branch refs/heads/branch_5x from Jan Høydahl
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=fb5916c ]

          SOLR-9053: Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability
          (cherry picked from commit 0ebe6b0)

          Show
          jira-bot ASF subversion and git services added a comment - Commit fb5916c329745ea80cff600adab89269c8764f0e in lucene-solr's branch refs/heads/branch_5x from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=fb5916c ] SOLR-9053 : Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability (cherry picked from commit 0ebe6b0)
          Hide
          jira-bot ASF subversion and git services added a comment -

          Commit 9ebd60ceec6f7fa2242295467b0420ae807ecbb4 in lucene-solr's branch refs/heads/branch_5x from Jan Høydahl
          [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=9ebd60c ]

          SOLR-9053: Fix attribution, apply the code refactor part from mdrob's patch
          (cherry picked from commit b6f8c65)

          Show
          jira-bot ASF subversion and git services added a comment - Commit 9ebd60ceec6f7fa2242295467b0420ae807ecbb4 in lucene-solr's branch refs/heads/branch_5x from Jan Høydahl [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=9ebd60c ] SOLR-9053 : Fix attribution, apply the code refactor part from mdrob's patch (cherry picked from commit b6f8c65)
          Hide
          steve_rowe Steve Rowe added a comment -

          Bulk close issues released with 5.5.2.

          Show
          steve_rowe Steve Rowe added a comment - Bulk close issues released with 5.5.2.

            People

            • Assignee:
              janhoy Jan Høydahl
              Reporter:
              jfield Jeff Field
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development