From owner-svn-ports-head@freebsd.org Fri Jul 15 17:13:54 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 785B2B99F66; Fri, 15 Jul 2016 17:13:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 296001D90; Fri, 15 Jul 2016 17:13:54 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6FHDrrI039003; Fri, 15 Jul 2016 17:13:53 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6FHDrn7039001; Fri, 15 Jul 2016 17:13:53 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201607151713.u6FHDrn7039001@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Fri, 15 Jul 2016 17:13:53 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r418592 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 17:13:54 -0000 Author: feld Date: Fri Jul 15 17:13:52 2016 New Revision: 418592 URL: https://svnweb.freebsd.org/changeset/ports/418592 Log: Rename vuxml entry, add new detailed reference as primary. This new reference has much more detailed information. It appears even the latest version of struts is affected and this may affect many products using the Apache Commons FileUpload Utility such as Jenkins, Lucene-Solr, etc. Unfortunately it's difficult to identify which version of the Apache Commons FileUpload Utility products may have, so this vuxml may be expanded as more products are successfully identified. PR: 211105 Security: CVE-2016-3092 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jul 15 16:56:01 2016 (r418591) +++ head/security/vuxml/vuln.xml Fri Jul 15 17:13:52 2016 (r418592) @@ -59,7 +59,7 @@ Notes: --> - tomcat -- denial of service + Apache Commons FileUpload -- denial of service tomcat6 @@ -75,13 +75,13 @@ Notes: apache-struts - 1.3.2 + 2.5.2

Jochen Wiedmann reports:

+

A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests.
@@ -89,6 +89,7 @@ Notes: + http://jvn.jp/en/jp/JVN89379547/index.html http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E CVE-2016-3092