Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64650

Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • 2.278

      Background

      See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.

      Problem

      Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:

      1. DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
      2. The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.

      Solution

      As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.

      Solution

      Upgrade to the latest upstream release, Commons FileUpload 1.4.

          [JENKINS-64650] Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

          Basil Crow created issue -
          Basil Crow made changes -
          Assignee New: Basil Crow [ basil ]
          Basil Crow made changes -
          Remote Link New: This issue links to "jenkinsci/jenkins#5174 (Web Link)" [ 26448 ]
          Basil Crow made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Basil Crow made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Basil Crow made changes -
          Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]
          Basil Crow made changes -
          Description Original: See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. New: h3. Background

          See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
          h3. Problem

          Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
           # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
           # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

          h3. Solution

          As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
          h3. Solution

          Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
          Basil Crow made changes -
          Description Original: h3. Background

          See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
          h3. Problem

          Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
           # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
           # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

          h3. Solution

          As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
          h3. Solution

          Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
          New: h3. Background

          See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
          h3. Problem

          Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
           # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
           # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

          h3. Solution

          As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
          h3. Solution

          Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
          Basil Crow made changes -
          Remote Link New: This issue links to "jenkinsci/jenkins#5171 (Web Link)" [ 26449 ]
          Basil Crow made changes -
          Description Original: h3. Background

          See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
          h3. Problem

          Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
           # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
           # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

          h3. Solution

          As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
          h3. Solution

          Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
          New: h3. Background

          See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
          h3. Problem

          Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
           # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
           # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

          h3. Solution

          As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
          h3. Solution

          Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
          Basil Crow made changes -
          Remote Link New: This issue links to "mailing list thread (Web Link)" [ 26450 ]

            basil Basil Crow
            basil Basil Crow
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: