Hi Mark,

You probably meant to update the 1.x branch as the branches names "release"
get merged into in order the create releases.

Gary

On Mon, Jun 16, 2025, 08:32 <ma...@apache.org> wrote:

> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch release-1.x
> in repository https://gitbox.apache.org/repos/asf/commons-fileupload.git
>
>
> The following commit(s) were added to refs/heads/release-1.x by this push:
>      new 91f09c1a Add information for CVE-2025-48976
> 91f09c1a is described below
>
> commit 91f09c1ae3432051b6d94ab0ec3f0becf3de08ea
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Mon Jun 16 13:30:14 2025 +0100
>
>     Add information for CVE-2025-48976
> ---
>  RELEASE-NOTES.txt       | 2 +-
>  src/changes/changes.xml | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
> index ea0b8f33..86215889 100644
> --- a/RELEASE-NOTES.txt
> +++ b/RELEASE-NOTES.txt
> @@ -28,7 +28,7 @@ Changes in this version include:
>  New features:
>  o                  [1.x] Enable multipart/related on FileUpload #314.
> Thanks to mufasa1976, Jochen Wiedmann, Gary Gregory.
>  o                  Add JApiCmp to the default Maven goal. Thanks to Gary
> Gregory.
> -o                  Add partHeaderSizeMax, a new limit that sets a maximum
> number of bytes for each individual multipart header. The default is 512
> bytes. Thanks to Mark Thomas.
> +o                  SECURITY - CVE-2025-48976. Add partHeaderSizeMax, a
> new limit that sets a maximum number of bytes for each individual multipart
> header. The default is 512 bytes. Thanks to Mark Thomas.
>
>  Fixed Bugs:
>  o                  Replace use of Locale.ENGLISH with Locale.ROOT. Thanks
> to Gary Gregory.
> diff --git a/src/changes/changes.xml b/src/changes/changes.xml
> index 2134d877..e71e9097 100644
> --- a/src/changes/changes.xml
> +++ b/src/changes/changes.xml
> @@ -46,7 +46,7 @@ The <action> type attribute can be add,update,fix,remove.
>        <!-- ADD -->
>        <action type="add" dev="ggregory" due-to="mufasa1976, Jochen
> Wiedmann, Gary Gregory">[1.x] Enable multipart/related on FileUpload
> #314.</action>
>        <action type="add" dev="ggregory" due-to="Gary Gregory">Add JApiCmp
> to the default Maven goal.</action>
> -      <action type="add" dev="markt"    due-to="Mark Thomas">Add
> partHeaderSizeMax, a new limit that sets a maximum number of bytes for each
> individual multipart header. The default is 512 bytes.</action>
> +      <action type="add" dev="markt"    due-to="Mark Thomas">SECURITY -
> CVE-2025-48976. Add partHeaderSizeMax, a new limit that sets a maximum
> number of bytes for each individual multipart header. The default is 512
> bytes.</action>
>        <!-- FIX -->
>        <action type="fix" dev="ggregory" due-to="Gary Gregory">Replace use
> of Locale.ENGLISH with Locale.ROOT.</action>
>        <action type="fix" dev="ggregory" due-to="Gary Gregory">Remove
> unused exception from FileUploadBase.createItem(Map, boolean).</action>
>
>

Reply via email to