Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64650

Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • core
    • None
    • 2.278

    Description

      Background

      See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.

      Problem

      Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:

      1. DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
      2. The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.

      Solution

      As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.

      Solution

      Upgrade to the latest upstream release, Commons FileUpload 1.4.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. JENKINS-65327 File parameters no longer overwrite previous files

          • Major - Major loss of function.
          • Closed
          links to

          Web Link jenkinsci/jenkins#5171

          Web Link jenkinsci/jenkins#5174

          Web Link mailing list thread

          Activity

            People

              basil Basil Crow
              basil Basil Crow
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: