Bugzilla – Bug 862781
VUL-0: CVE-2014-0050: jakarta-commons-fileupload: denial of service due to too-small buffer size used
Last modified: 2014-04-22 06:38:11 UTC
CVE-2014-0050 A flaw was found in Apache Commons FileUpload. Specially-crafted input could trigger a denial of service if the buffer used by the MultipartStream was not big enough. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050 https://bugzilla.redhat.com/show_bug.cgi?id=1062337 http://svn.apache.org/viewvc?view=revision&revision=1565169 http://svn.apache.org/viewvc?view=revision&revision=1565143
bugbot adjusting priority
Upstream fixes: Tomcat: Fix CVE-2014-0050 DoS with malformed Content-Type header and multipart request processing. Update to latest code (r1565163) from Commons FileUpload http://svn.apache.org/viewvc?view=revision&revision=1565169 fileupload: Fix CVE-2014-0050. Specially crafted input can trigger a DoS if the buffer used by the <code>MultipartStream</code> is not big enough. When constructing <code>MultipartStream</code> enforce the requirements for buffer size by throwing an <code>IllegalArgumentException</code> if the requested buffer size is too small. This prevents the DoS. http://svn.apache.org/viewvc?view=revision&revision=1565143
The SWAMPID for this issue is 56205. This issue was rated as important. Please submit fixed packages until 2014-02-18. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Rewrote the patch to work with our jakarta version and submitted to the maintained projects + factory. Should I do something else here?
This is an autogenerated message for OBS integration: This bug (862781) was mentioned in https://build.opensuse.org/request/show/228752 Factory / jakarta-commons-fileupload https://build.opensuse.org/request/show/228753 12.3 / jakarta-commons-fileupload https://build.opensuse.org/request/show/228754 13.1 / jakarta-commons-fileupload
openSUSE-SU-2014:0527-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 862781 CVE References: CVE-2014-0050 Sources used: openSUSE 13.1 (src): jakarta-commons-fileupload-1.1.1-117.121.1
openSUSE-SU-2014:0528-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 862781 CVE References: CVE-2014-0050 Sources used: openSUSE 12.3 (src): jakarta-commons-fileupload-1.1.1-114.8.1
Update released for: jakarta-commons-fileupload, jakarta-commons-fileupload-javadoc Products: SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0548-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 862781 CVE References: CVE-2014-0050 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): jakarta-commons-fileupload-1.1.1-1.37.1 SUSE Linux Enterprise Server 11 SP3 (src): jakarta-commons-fileupload-1.1.1-1.37.1
Fixed and released. Closing bug.