Details
-
Improvement
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
-
2.278
Description
Background
See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.
Problem
Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
- DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
- The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.
Solution
As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
Solution
Upgrade to the latest upstream release, Commons FileUpload 1.4.
Attachments
Issue Links
- causes
-
JENKINS-65327 File parameters no longer overwrite previous files
-
- Closed
-
- links to
Activity
Basil Crow
created issue -
Basil Crow
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Basil Crow [ basil ] |
Basil Crow
made changes -
| Remote Link | This issue links to "jenkinsci/jenkins#5174 (Web Link)" [ 26448 ] |
Basil Crow
made changes -
| Status | Open [ 1 ] | In Progress [ 3 ] |
Basil Crow
made changes -
| Status | In Progress [ 3 ] | In Review [ 10005 ] |
Basil Crow
made changes -
| Issue Type | Bug [ 1 ] | Improvement [ 4 ] |
Basil Crow
made changes -
| Description | See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Basil Crow
made changes -
| Description |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Basil Crow
made changes -
| Remote Link | This issue links to "jenkinsci/jenkins#5171 (Web Link)" [ 26449 ] |
Basil Crow
made changes -
| Description |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
Basil Crow
made changes -
| Remote Link | This issue links to "mailing list thread (Web Link)" [ 26450 ] |
Basil Crow
made changes -
| Description |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
h3. Background
See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4]. h3. Problem Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork: # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{[28d997704f|https://github.com/jenkinsci/jenkins/commit/28d997704f12349941b21c8215c2cede2135962e]}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018). # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{[ea981a029c|https://github.com/jenkinsci/jenkins/commit/ea981a029cb985b71f3a0dc0f9ce3b3e3e6c001b]}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017. h3. Solution As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes. h3. Solution Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4. |
| Released As | 2.278 | |
| Resolution | Fixed [ 1 ] | |
| Status | In Review [ 10005 ] | Closed [ 6 ] |
Basil Crow
made changes -
| Link |
This issue causes |