Hi Mark, You probably meant to update the 1.x branch as the branches names "release" get merged into in order the create releases.
Gary On Mon, Jun 16, 2025, 08:32 <ma...@apache.org> wrote: > This is an automated email from the ASF dual-hosted git repository. > > markt pushed a commit to branch release-1.x > in repository https://gitbox.apache.org/repos/asf/commons-fileupload.git > > > The following commit(s) were added to refs/heads/release-1.x by this push: > new 91f09c1a Add information for CVE-2025-48976 > 91f09c1a is described below > > commit 91f09c1ae3432051b6d94ab0ec3f0becf3de08ea > Author: Mark Thomas <ma...@apache.org> > AuthorDate: Mon Jun 16 13:30:14 2025 +0100 > > Add information for CVE-2025-48976 > --- > RELEASE-NOTES.txt | 2 +- > src/changes/changes.xml | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt > index ea0b8f33..86215889 100644 > --- a/RELEASE-NOTES.txt > +++ b/RELEASE-NOTES.txt > @@ -28,7 +28,7 @@ Changes in this version include: > New features: > o [1.x] Enable multipart/related on FileUpload #314. > Thanks to mufasa1976, Jochen Wiedmann, Gary Gregory. > o Add JApiCmp to the default Maven goal. Thanks to Gary > Gregory. > -o Add partHeaderSizeMax, a new limit that sets a maximum > number of bytes for each individual multipart header. The default is 512 > bytes. Thanks to Mark Thomas. > +o SECURITY - CVE-2025-48976. Add partHeaderSizeMax, a > new limit that sets a maximum number of bytes for each individual multipart > header. The default is 512 bytes. Thanks to Mark Thomas. > > Fixed Bugs: > o Replace use of Locale.ENGLISH with Locale.ROOT. Thanks > to Gary Gregory. > diff --git a/src/changes/changes.xml b/src/changes/changes.xml > index 2134d877..e71e9097 100644 > --- a/src/changes/changes.xml > +++ b/src/changes/changes.xml > @@ -46,7 +46,7 @@ The <action> type attribute can be add,update,fix,remove. > <!-- ADD --> > <action type="add" dev="ggregory" due-to="mufasa1976, Jochen > Wiedmann, Gary Gregory">[1.x] Enable multipart/related on FileUpload > #314.</action> > <action type="add" dev="ggregory" due-to="Gary Gregory">Add JApiCmp > to the default Maven goal.</action> > - <action type="add" dev="markt" due-to="Mark Thomas">Add > partHeaderSizeMax, a new limit that sets a maximum number of bytes for each > individual multipart header. The default is 512 bytes.</action> > + <action type="add" dev="markt" due-to="Mark Thomas">SECURITY - > CVE-2025-48976. Add partHeaderSizeMax, a new limit that sets a maximum > number of bytes for each individual multipart header. The default is 512 > bytes.</action> > <!-- FIX --> > <action type="fix" dev="ggregory" due-to="Gary Gregory">Replace use > of Locale.ENGLISH with Locale.ROOT.</action> > <action type="fix" dev="ggregory" due-to="Gary Gregory">Remove > unused exception from FileUploadBase.createItem(Map, boolean).</action> > >