Debian alert DLA-4245-1 (libcommons-fileupload-java)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 4245-1] libcommons-fileupload-java security update | |
| Date: | Tue, 22 Jul 2025 03:07:48 +0200 | |
| Message-ID: | <f57a593700525202be9d351a24eb8b24488b66a3.camel@debian.org> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4245-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 22, 2025 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : libcommons-fileupload-java Version : 1.4-1+deb11u1 CVE ID : CVE-2023-24998 CVE-2025-48976 Debian Bug : 1031733 1108120 Two security vulnerabilities have been found in libcommons-fileupload-java, a Java library that adds robust, high-performance, file upload capability to your servlets and web applications. CVE-2023-24998: Apache Commons FileUpload does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. CVE-2025-48976: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. For Debian 11 bullseye, these problems have been fixed in version 1.4-1+deb11u1. We recommend that you upgrade your libcommons-fileupload-java packages. For the detailed security status of libcommons-fileupload-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libcommons-fileupload-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmh+5GRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRM9A/8CwztseE2LzLVAZaiVE98fiR63M+9aNan002xwKxosgF089IgD+4zh9wB /opDu+7D63sw1rF6v+pYsO6fa1EF4q3eFIN1XRyvrHHC8UcV1xVay4cSZCwbz976 gxlDArirZpDMh8al8NsFLP5gA7XjU4KXsX5qMPSU6E28YEfvMP/25GO7DDf9TPtz qxJEnQUF7p1t+pfUryk/4K3wrqVUnDSuidu7D9V3axbV4Wq7sOTOj2oV2qrpXeIf R1Sisr6FrPT5RTPwLkYTdQNHjwW9btlh95SRW7lDLkGvQsbu9p3sakVGkjflAS+g P1CMLyiLqVdWBCdzRG09bKBGN0L/78bqG8qDVOxlx6w4IL45Gyt4ErY66sGytqpf b4GCAN2OgdDLyWzi0P2OiQH/GMkc37x+tm2N0hV6gHRBn5SMBX0bOpxnGRuWpzv6 zbmn76gqEYyzg846d1jBAJv+foG+LbdC9Bi/AkyyXW96v/lpoJ9rkTa3h+/X+tCs UVqxgw96h7jwZriqiLrBJhweU0gBVEhE4RZJUainqohUx+LqGxOYoPfVC5BfcnlA ls5YG2OwxJ19epEYbPYKihr/gc+CbCohb90cmx5ExkCw2yBbws0lPrWLzkLTbCma t/ToAVJDvvaK35OUmOFKgYol8Qtvffjsxm6yQe9Sx9Gpq5gpz84= =TZ0j -----END PGP SIGNATURE-----