Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1078507

Summary: Upgrade apache-commons-fileupload to 1.3.1 to address CVE-2014-0050
Product: [Retired] JBoss BRMS Platform 6 Reporter: Rajesh Rajasekaran <rrajasek>
Component: Build and AssemblyAssignee: Ryan Zhang <rzhang>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Široký <psiroky>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.1CC: kverlaen, mbaluch, pavelp, rzhang
Target Milestone: ER3Keywords: Security
Target Release: 6.0.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-06 19:54:16 UTC Type: Component Upgrade
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1064682    
Bug Blocks:    

Description Rajesh Rajasekaran 2014-03-19 19:28:47 UTC 
Upgrade apache-commons-fileupload from 1.2.2 to 1.3.1 to address CVE-2014-0050 (BZ#1064682) 
This was shipped as a 0-day patch with 6.0.1 release and now needs to be included as part of the product itself.
Comment 1 Arun Babu Neelicattu 2014-03-20 02:18:16 UTC 
The roll up patch is handled in bug 1076709.
Comment 3 Geoffrey De Smet 2014-03-28 13:31:35 UTC 
Kris, sure, but I 'll be doing a blind upgrade...: if it compiles, I 'll push it. (I can't run wb locally). Is that ok?

Here's an overview where commons-fileupload is used:

$ script/find-all.sh pom.xml commons-fileupload
./guvnor/guvnor-services/guvnor-services-backend/pom.xml:      <groupId>commons-fileupload</groupId>
./guvnor/guvnor-services/guvnor-services-backend/pom.xml:      <artifactId>commons-fileupload</artifactId>
./guvnor/guvnor-m2repo-editor/guvnor-m2repo-editor-backend/pom.xml:      <groupId>commons-fileupload</groupId>
./guvnor/guvnor-m2repo-editor/guvnor-m2repo-editor-backend/pom.xml:      <artifactId>commons-fileupload</artifactId>
./guvnor/guvnor-inbox/guvnor-inbox-backend/pom.xml:      <groupId>commons-fileupload</groupId>
./guvnor/guvnor-inbox/guvnor-inbox-backend/pom.xml:      <artifactId>commons-fileupload</artifactId>
./dashboard-builder/pom.xml:            <groupId>commons-fileupload</groupId>
./dashboard-builder/pom.xml:            <artifactId>commons-fileupload</artifactId>
./jbpm-designer/jbpm-designer-backend/pom.xml:      <groupId>commons-fileupload</groupId>
./jbpm-designer/jbpm-designer-backend/pom.xml:      <artifactId>commons-fileupload</artifactId>
./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/pom.xml:    <module>org-apache-commons-fileupload</module>
./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml:  <artifactId>org-apache-commons-fileupload</artifactId>
./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml:  <name>KIE EAP - org-apache-commons-fileupload static module</name>
./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml:      <groupId>commons-fileupload</groupId>
./kie-wb-distributions/kie-eap-integration/kie-eap-modules/kie-eap-static-modules/org-apache-commons-fileupload/pom.xml:      <artifactId>commons-fileupload</artifactId>
./kie-wb-distributions/kie-eap-integration/kie-eap-distributions/kie-eap-distributions-bpms-layer/pom.xml:      <artifactId>org-apache-commons-fileupload</artifactId>
./kie-wb-common/kie-wb-common-services/kie-wb-common-services-backend/pom.xml:      <groupId>commons-fileupload</groupId>
./kie-wb-common/kie-wb-common-services/kie-wb-common-services-backend/pom.xml:      <artifactId>commons-fileupload</artifactId>
./jbpm-form-modeler/jbpm-form-modeler-core/jbpm-form-modeler-service/jbpm-form-modeler-common/pom.xml:            <groupId>commons-fileupload</groupId>
./jbpm-form-modeler/jbpm-form-modeler-core/jbpm-form-modeler-service/jbpm-form-modeler-common/pom.xml:            <artifactId>commons-fileupload</artifactId>
Comment 4 Geoffrey De Smet 2014-03-28 15:02:51 UTC 
Pushed to master:
  http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/55099e668
  http://github.com/droolsjbpm/guvnor/commit/7c7985ea7
Pushed to 6.0.x
  http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/f14ed03ff
  http://github.com/droolsjbpm/guvnor/commit/311325364
IP bom request:
  https://github.com/jboss-integration/jboss-integration-platform-bom/pull/48
Comment 6 Ryan Zhang 2014-04-29 07:07:22 UTC 
(In reply to Geoffrey De Smet from comment #4)
> Pushed to master:
>   http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/55099e668
>   http://github.com/droolsjbpm/guvnor/commit/7c7985ea7
> Pushed to 6.0.x
>   http://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/f14ed03ff
>   http://github.com/droolsjbpm/guvnor/commit/311325364
> IP bom request:
>   https://github.com/jboss-integration/jboss-integration-platform-bom/pull/48
Geoffrey, so I see the fileupload updates only apply to jboss-integration-platform-bom master branch, not to 6.0.x. And the new tag 6.0.0.CR7 doesn't contain the common-fileupload updates. So is this intended?
Comment 7 Ryan Zhang 2014-04-29 07:29:46 UTC 
Now I have updated the product bom to match commons-fileupload 1.3.1.
Comment 8 Petr Široký 2014-05-28 16:13:48 UTC 
Verified fixed in 6.0.2.ER3.