Upgrade apache-commons-fileupload from 1.2.2 to 1.3.1 to address CVE-2014-0050 (BZ#1064682) This was shipped as a 0-day patch with 6.0.1 release and now needs to be included as part of the product itself.
The roll up patch is handled in bug 1076709.
Kris, sure, but I 'll be doing a blind upgrade...: if it compiles, I 'll push it. (I can't run wb locally). Is that ok? Here's an overview where commons-fileupload is used: $ script/find-all.sh pom.xml commons-fileupload ./guvnor/guvnor-services/guvnor-services-backend/pom.xml: <groupId>commons-fileupload</groupId> ./guvnor/guvnor-services/guvnor-services-backend/pom.xml: <artifactId>commons-fileupload</artifactId> ./guvnor/guvnor-m2repo-editor/guvnor-m2repo-editor-backend/pom.xml: <groupId>commons-fileupload</groupId> ./guvnor/guvnor-m2repo-editor/guvnor-m2repo-editor-backend/pom.xml: <artifactId>commons-fileupload</artifactId> ./guvnor/guvnor-inbox/guvnor-inbox-backend/pom.xml: <groupId>commons-fileupload</groupId> ./guvnor/guvnor-inbox/guvnor-inbox-backend/pom.xml: <artifactId>commons-fileupload</artifactId> ./dashboard-builder/pom.xml: <groupId>commons-fileupload</groupId> ./dashboard-builder/pom.xml: <artifactId>commons-fileupload</artifactId> ./jbpm-designer/jbpm-designer-backend/pom.xml: <groupId>commons-fileupload</groupId> ./jbpm-designer/jbpm-designer-backend/pom.xml: <artifactId>commons-fileupload</artifactId> ./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/pom.xml: <module>org-apache-commons-fileupload</module> ./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml: <artifactId>org-apache-commons-fileupload</artifactId> ./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml: <name>KIE EAP - org-apache-commons-fileupload static module</name> ./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml: <groupId>commons-fileupload</groupId> ./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml: <artifactId>commons-fileupload</artifactId> ./kie-wb-distributions/kie-eap-integration/kie-eap-distributions/kie-eap-distributions-bpms-layer/pom.xml: <artifactId>org-apache-commons-fileupload</artifactId> ./kie-wb-common/kie-wb-common-services/kie-wb-common-services-backend/pom.xml: <groupId>commons-fileupload</groupId> ./kie-wb-common/kie-wb-common-services/kie-wb-common-services-backend/pom.xml: <artifactId>commons-fileupload</artifactId> ./jbpm-form-modeler/jbpm-form-modeler-core/jbpm-form-modeler-service/jbpm-form-modeler-common/pom.xml: <groupId>commons-fileupload</groupId> ./jbpm-form-modeler/jbpm-form-modeler-core/jbpm-form-modeler-service/jbpm-form-modeler-common/pom.xml: <artifactId>commons-fileupload</artifactId>
Pushed to master: http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/55099e668 http://github.com/droolsjbpm/guvnor/commit/7c7985ea7 Pushed to 6.0.x http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/f14ed03ff http://github.com/droolsjbpm/guvnor/commit/311325364 IP bom request: https://github.com/jboss-integration/jboss-integration-platform-bom/pull/48
(In reply to Geoffrey De Smet from comment #4) > Pushed to master: > http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/55099e668 > http://github.com/droolsjbpm/guvnor/commit/7c7985ea7 > Pushed to 6.0.x > http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/f14ed03ff > http://github.com/droolsjbpm/guvnor/commit/311325364 > IP bom request: > https://github.com/jboss-integration/jboss-integration-platform-bom/pull/48 Geoffrey, so I see the fileupload updates only apply to jboss-integration-platform-bom master branch, not to 6.0.x. And the new tag 6.0.0.CR7 doesn't contain the common-fileupload updates. So is this intended?
Now I have updated the product bom to match commons-fileupload 1.3.1.
Verified fixed in 6.0.2.ER3.