Grokbase Groups Lucene dev June 2016
FAQ
[ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steve Rowe reopened SOLR-9053:
------------------------------

Reopening to backport to 5.6 and 5.5.2.
Upgrade fileupload-commons to 1.3.1
-----------------------------------

Key: SOLR-9053
URL: https://issues.apache.org/jira/browse/SOLR-9053
Project: Solr
Issue Type: Improvement
Components: security
Affects Versions: 4.6, 5.5, 6.0
Reporter: Jeff Field
Assignee: Jan Høydahl
Labels: commons-file-upload
Fix For: 6.0.1, 6.1

Attachments: SOLR-9053.patch


The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
"MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
[Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org

Search Discussions

  • ASF subversion and git services (JIRA) at Jun 17, 2016 at 10:20 pm
    [ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15337108#comment-15337108 ]

    ASF subversion and git services commented on SOLR-9053:
    -------------------------------------------------------

    Commit 931501ce6481080fbdb4c5470f7b532f394e7b96 in lucene-solr's branch refs/heads/branch_5_5 from [~janhoy]
    [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=931501c ]

    SOLR-9053: Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability
    (cherry picked from commit 0ebe6b0)

    Upgrade fileupload-commons to 1.3.1
    -----------------------------------

    Key: SOLR-9053
    URL: https://issues.apache.org/jira/browse/SOLR-9053
    Project: Solr
    Issue Type: Improvement
    Components: security
    Affects Versions: 4.6, 5.5, 6.0
    Reporter: Jeff Field
    Assignee: Jan Høydahl
    Labels: commons-file-upload
    Fix For: 6.0.1, 6.1

    Attachments: SOLR-9053.patch


    The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
    "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
    [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
    For additional commands, e-mail: dev-help@lucene.apache.org
  • ASF subversion and git services (JIRA) at Jun 17, 2016 at 10:20 pm
    [ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15337109#comment-15337109 ]

    ASF subversion and git services commented on SOLR-9053:
    -------------------------------------------------------

    Commit dacb226a2be822abe7d46a6be7811c6eeb5f5e4c in lucene-solr's branch refs/heads/branch_5_5 from [~janhoy]
    [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=dacb226 ]

    SOLR-9053: Fix attribution, apply the code refactor part from mdrob's patch
    (cherry picked from commit b6f8c65)

    Upgrade fileupload-commons to 1.3.1
    -----------------------------------

    Key: SOLR-9053
    URL: https://issues.apache.org/jira/browse/SOLR-9053
    Project: Solr
    Issue Type: Improvement
    Components: security
    Affects Versions: 4.6, 5.5, 6.0
    Reporter: Jeff Field
    Assignee: Jan Høydahl
    Labels: commons-file-upload
    Fix For: 6.0.1, 6.1

    Attachments: SOLR-9053.patch


    The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
    "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
    [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
    For additional commands, e-mail: dev-help@lucene.apache.org
  • ASF subversion and git services (JIRA) at Jun 17, 2016 at 10:20 pm
    [ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15337110#comment-15337110 ]

    ASF subversion and git services commented on SOLR-9053:
    -------------------------------------------------------

    Commit fb5916c329745ea80cff600adab89269c8764f0e in lucene-solr's branch refs/heads/branch_5x from [~janhoy]
    [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=fb5916c ]

    SOLR-9053: Upgrade commons-fileupload to 1.3.1, fixing a potential vulnerability
    (cherry picked from commit 0ebe6b0)

    Upgrade fileupload-commons to 1.3.1
    -----------------------------------

    Key: SOLR-9053
    URL: https://issues.apache.org/jira/browse/SOLR-9053
    Project: Solr
    Issue Type: Improvement
    Components: security
    Affects Versions: 4.6, 5.5, 6.0
    Reporter: Jeff Field
    Assignee: Jan Høydahl
    Labels: commons-file-upload
    Fix For: 6.0.1, 6.1

    Attachments: SOLR-9053.patch


    The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
    "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
    [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
    For additional commands, e-mail: dev-help@lucene.apache.org
  • ASF subversion and git services (JIRA) at Jun 17, 2016 at 10:20 pm
    [ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15337111#comment-15337111 ]

    ASF subversion and git services commented on SOLR-9053:
    -------------------------------------------------------

    Commit 9ebd60ceec6f7fa2242295467b0420ae807ecbb4 in lucene-solr's branch refs/heads/branch_5x from [~janhoy]
    [ https://git-wip-us.apache.org/repos/asf?p=lucene-solr.git;h=9ebd60c ]

    SOLR-9053: Fix attribution, apply the code refactor part from mdrob's patch
    (cherry picked from commit b6f8c65)

    Upgrade fileupload-commons to 1.3.1
    -----------------------------------

    Key: SOLR-9053
    URL: https://issues.apache.org/jira/browse/SOLR-9053
    Project: Solr
    Issue Type: Improvement
    Components: security
    Affects Versions: 4.6, 5.5, 6.0
    Reporter: Jeff Field
    Assignee: Jan Høydahl
    Labels: commons-file-upload
    Fix For: 6.0.1, 6.1

    Attachments: SOLR-9053.patch


    The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
    "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
    [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
    For additional commands, e-mail: dev-help@lucene.apache.org
  • Steve Rowe (JIRA) at Jun 17, 2016 at 10:21 pm
    [ https://issues.apache.org/jira/browse/SOLR-9053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

    Steve Rowe resolved SOLR-9053.
    ------------------------------
            Resolution: Fixed
         Fix Version/s: 5.5.2
                        5.6
    Upgrade fileupload-commons to 1.3.1
    -----------------------------------

    Key: SOLR-9053
    URL: https://issues.apache.org/jira/browse/SOLR-9053
    Project: Solr
    Issue Type: Improvement
    Components: security
    Affects Versions: 4.6, 5.5, 6.0
    Reporter: Jeff Field
    Assignee: Jan Høydahl
    Labels: commons-file-upload
    Fix For: 5.6, 5.5.2, 6.1, 6.0.1

    Attachments: SOLR-9053.patch


    The project appears to pull in FileUpload 1.2.1. According to CVE-2014-0050:
    "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions."
    [Source|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050]


    --
    This message was sent by Atlassian JIRA
    (v6.3.4#6332)

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
    For additional commands, e-mail: dev-help@lucene.apache.org

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupdev @
categorieslucene
postedJun 17, '16 at 10:18p
activeJun 17, '16 at 10:21p
posts6
users1
websitelucene.apache.org

1 user in discussion

Steve Rowe (JIRA): 6 posts

People

Translate

site design / logo © 2019 Grokbase