This is an add-on package that would allow users to upload files through a web server. Although the bug sounds bad, I can't imagine that any of our sites are running this; I checked a few and I can't find it even installed anywhere. It can wait for the next scheduled patching. Company policy requires: This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: opensuse-security@opensuse.org [mailto:opensuse-security@opensuse.org] Sent: Tuesday, November 12, 2013 10:04 AM To: opensuse-security-announce@opensuse.org Subject: [security-announce] SUSE-SU-2013:1660-1: important: Security update for jakarta-commons-fileupload SUSE Security Update: Security update for jakarta-commons-fileupload ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1660-1 Rating: important References: #846174 Cross-References: CVE-2013-2186 Affected Products: SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP2 for VMware SUSE Linux Enterprise Server 11 SP2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: jakarta-commons-fileupload received a security fix: * A poison null byte flaw was found in the implementation of the DiskFileItem class. A remote attacker could able to supply a serialized instance of the DiskFileItem class, which would be deserialized on a server, could use this flaw to write arbitrary content to any location on the server that is permitted by the user running the application server process. (CVE-2013-2186) Security Issue reference: * CVE-2013-2186 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP3 for VMware: zypper in -t patch slessp3-jakarta-commons-fileupload-8446 - SUSE Linux Enterprise Server 11 SP3: zypper in -t patch slessp3-jakarta-commons-fileupload-8446 - SUSE Linux Enterprise Server 11 SP2 for VMware: zypper in -t patch slessp2-jakarta-commons-fileupload-8445 - SUSE Linux Enterprise Server 11 SP2: zypper in -t patch slessp2-jakarta-commons-fileupload-8445 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP3 for VMware (noarch): jakarta-commons-fileupload-1.1.1-1.35.1 jakarta-commons-fileupload-javadoc-1.1.1-1.35.1 - SUSE Linux Enterprise Server 11 SP3 (noarch): jakarta-commons-fileupload-1.1.1-1.35.1 jakarta-commons-fileupload-javadoc-1.1.1-1.35.1 - SUSE Linux Enterprise Server 11 SP2 for VMware (noarch): jakarta-commons-fileupload-1.1.1-1.35.1 jakarta-commons-fileupload-javadoc-1.1.1-1.35.1 - SUSE Linux Enterprise Server 11 SP2 (noarch): jakarta-commons-fileupload-1.1.1-1.35.1 jakarta-commons-fileupload-javadoc-1.1.1-1.35.1 References: http://support.novell.com/security/cve/CVE-2013-2186.html https://bugzilla.novell.com/846174 http://download.novell.com/patch/finder/?keywords=4e850046eae7d47e6c4921a624... http://download.novell.com/patch/finder/?keywords=56b6ca4a38407b07a824c188ac... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org