-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
-
2.278
Background
See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.
Problem
Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
- DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
- The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.
Solution
As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
Solution
Upgrade to the latest upstream release, Commons FileUpload 1.4.
- causes
-
JENKINS-65327 File parameters no longer overwrite previous files
-
- Closed
-
- links to
[JENKINS-64650] Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4
Assignee | New: Basil Crow [ basil ] |
Remote Link | New: This issue links to "jenkinsci/jenkins#5174 (Web Link)" [ 26448 ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Status | Original: In Progress [ 3 ] | New: In Review [ 10005 ] |
Issue Type | Original: Bug [ 1 ] | New: Improvement [ 4 ] |
Description | Original: See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. |
New:
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Description |
Original:
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
New:
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Remote Link | New: This issue links to "jenkinsci/jenkins#5171 (Web Link)" [ 26449 ] |
Description |
Original:
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
New:
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Remote Link | New: This issue links to "mailing list thread (Web Link)" [ 26450 ] |