This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-fileupload.git
The following commit(s) were added to refs/heads/master by this push:
new 6263f44 Update docs
6263f44 is described below
commit 6263f449a39050396eac6208d3292823321e5997
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Tue Jul 11 09:54:54 2023 -0400
Update docs
---
src/site/fml/faq.fml | 3 +++
src/site/xdoc/security-reports.xml | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/src/site/fml/faq.fml b/src/site/fml/faq.fml
index 6fd1d6c..e369a94 100644
--- a/src/site/fml/faq.fml
+++ b/src/site/fml/faq.fml
@@ -182,6 +182,9 @@ try {
DiskFileItem, which can be used for malicious attacks.
</question>
<answer>
+ <p>
+ Starting in version 2.0.0-M1, no FileUpload classes implement
Serializable.
+ </p>
<p>
It is true, that this class exists, and can be
serialized/deserialized in FileUpload versions, up to, and
including 1.3.2. It is also true, that a malicious attacker can
abuse this possibility to create abitraryly
diff --git a/src/site/xdoc/security-reports.xml
b/src/site/xdoc/security-reports.xml
index 09a2ab6..d342722 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -52,6 +52,12 @@
href="https://commons.apache.org/security.html";>security page
of the Apache Commons project</a>.</p>
+ <subsection name="Fixed in Apache Commons FileUpload 2.0.0-M1">
+ <p>
+ Starting in version 2.0.0-M1, no FileUpload classes implement
Serializable.
+ </p>
+ </subsection>
+
<subsection name="Fixed in Apache Commons FileUpload 1.5">
<p><b>Important: Denial of Service</b> <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998";>CVE-2023-24998</a></p>
