Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-64650

Upgrade Commons FileUpload from 1.3.1-jenkins-2 to 1.4

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:
    • Released As:
      2.278

      Description

      Background

      See jenkinsci/jenkins#5174. Subsumes jenkinsci/jenkins#5171. See also the corresponding mailing list thread.

      Problem

      Jenkins core uses a fork of Commons FileUpload 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:

      1. DiskFileItem was made no longer Serializable in commit 28d997704f as part of SECURITY-159 on September 27, 2014. Upstream made the same change over 4 years later in 1.4 (which was released on December 23, 2018).
      2. The fix for CVE-2016-3092 (originally released upstream in 1.3.2 on May 26, 2016) was backported to the Jenkins fork in commit ea981a029c as part of SECURITY-490 on September 28-29, 2017.

      Solution

      As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.

      Solution

      Upgrade to the latest upstream release, Commons FileUpload 1.4.

        Attachments

          Issue Links

            Activity

            basil Basil Crow created issue -
            basil Basil Crow made changes -
            Field Original Value New Value
            Assignee Basil Crow [ basil ]
            basil Basil Crow made changes -
            Remote Link This issue links to "jenkinsci/jenkins#5174 (Web Link)" [ 26448 ]
            basil Basil Crow made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            basil Basil Crow made changes -
            Status In Progress [ 3 ] In Review [ 10005 ]
            basil Basil Crow made changes -
            Issue Type Bug [ 1 ] Improvement [ 4 ]
            basil Basil Crow made changes -
            Description See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            basil Basil Crow made changes -
            Description h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes[jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            basil Basil Crow made changes -
            Remote Link This issue links to "jenkinsci/jenkins#5171 (Web Link)" [ 26449 ]
            basil Basil Crow made changes -
            Description h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also [the corresponding mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            basil Basil Crow made changes -
            Remote Link This issue links to "mailing list thread (Web Link)" [ 26450 ]
            basil Basil Crow made changes -
            Description h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{28d997704f}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{ea981a029c}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            h3. Background

            See [jenkinsci/jenkins#5174|https://github.com/jenkinsci/jenkins/pull/5174]. Subsumes [jenkinsci/jenkins#5171|https://github.com/jenkinsci/jenkins/pull/5171]. See also the corresponding [mailing list thread|https://groups.google.com/g/jenkinsci-dev/c/G0itLB-tbF4].
            h3. Problem

            Jenkins core uses a fork of [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.3.1 (which was released upstream on February 7, 2014). Two changes were made to the Jenkins fork:
             # {{DiskFileItem}} was made no longer {{Serializable}} in commit {{[28d997704f|https://github.com/jenkinsci/jenkins/commit/28d997704f12349941b21c8215c2cede2135962e]}} as part of [SECURITY-159|https://www.jenkins.io/security/advisory/2014-10-01/#security-159cve-2013-2186-arbitrary-file-system-write] on September 27, 2014. Upstream made the same change over 4 years later in [1.4|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] (which was released on December 23, 2018).
             # The fix for [CVE-2016-3092|https://nvd.nist.gov/vuln/detail/CVE-2016-3092] (originally released upstream in [1.3.2|https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt] on May 26, 2016) was backported to the Jenkins fork in commit {{[ea981a029c|https://github.com/jenkinsci/jenkins/commit/ea981a029cb985b71f3a0dc0f9ce3b3e3e6c001b]}} as part of [SECURITY-490|https://www.jenkins.io/security/advisory/2017-10-11/#jenkins-core-bundled-vulnerable-version-of-the-commons-fileupload-library] on September 28-29, 2017.

            h3. Solution

            As of 2021, the latest upstream release (1.4) contains all the changes present in the fork; therefore, the fork is no longer necessary. Furthermore, it prevents us from receiving upstream fixes.
            h3. Solution

            Upgrade to the latest upstream release, [Commons FileUpload|https://commons.apache.org/proper/commons-fileupload/] 1.4.
            markewaite Mark Waite made changes -
            Released As 2.278
            Resolution Fixed [ 1 ]
            Status In Review [ 10005 ] Closed [ 6 ]
            basil Basil Crow made changes -
            Link This issue causes JENKINS-65327 [ JENKINS-65327 ]

              People

              Assignee:
              basil Basil Crow
              Reporter:
              basil Basil Crow
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: