31580 – apache-commons-fileupload new security issue CVE-2023-24998

Bug 31580 - apache-commons-fileupload new security issue CVE-2023-24998

Summary: apache-commons-fileupload new security issue CVE-2023-24998

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2023-02-21 16:33 CET by David Walser
Modified:	2023-02-27 21:29 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	apache-commons-fileupload-1.4-4.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-21 16:33:47 CET

Apache has issued an advisory on February 20:
https://www.openwall.com/lists/oss-security/2023/02/20/2

The issue is fixed upstream in 1.5:
https://commons.apache.org/proper/commons-fileupload/security-reports.html

Mageia 8 is also affected.

David Walser 2023-02-21 16:34:02 CET

Status comment: (none) => Fixed upstream in 1.5
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-02-22 04:56:29 CET

Done for both mga8 and Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-02-22 05:37:51 CET

apache-commons-fileupload-1.4-3.1.mga8
apache-commons-fileupload-javadoc-1.4-3.1.mga8

from apache-commons-fileupload-1.4-3.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: java => qa-bugs
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.5 => (none)

Comment 3 Herman Viaene 2023-02-22 15:31:31 CET

MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Ref bug 12653 finally agreed on OK on clean install. Nevertheless I started httpd and checked "It works" on localhost in Firefox.
So good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2023-02-23 23:55:41 CET

Validating.

CC: (none) => andrewsfarm

Thomas Andrews 2023-02-23 23:56:10 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-02-25 20:08:07 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-27 21:29:20 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0070.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.