CVE-2016-3092

Name	CVE-2016-3092
Description	The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-528-1, DLA-529-1, DSA-3609-1, DSA-3611-1, DSA-3614-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libcommons-fileupload-java (PTS)	buster	1.3.3-1	fixed
	bullseye	1.4-1	fixed
	bookworm	1.4-2	fixed
	sid, trixie	1.5-1	fixed
tomcat9 (PTS)	buster	9.0.31-1~deb10u6	fixed
	buster (security)	9.0.31-1~deb10u12	fixed
	bullseye	9.0.43-2~deb11u9	fixed
	bullseye (security)	9.0.43-2~deb11u10	fixed
	sid, trixie, bookworm	9.0.70-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
libcommons-fileupload-java	source	wheezy	1.2.2-1+deb7u3	DLA-528-1
libcommons-fileupload-java	source	jessie	1.3.1-1+deb8u1	DSA-3611-1
libcommons-fileupload-java	source	(unstable)	1.3.2-1
tomcat7	source	wheezy	7.0.28-4+deb7u5	DLA-529-1
tomcat7	source	jessie	7.0.56-3+deb8u3	DSA-3614-1
tomcat7	source	(unstable)	7.0.70-1
tomcat8	source	jessie	8.0.14-1+deb8u2	DSA-3609-1
tomcat8	source	(unstable)	8.0.36-1
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Fixed by https://svn.apache.org/r1743480
Upstream advisory http://markmail.org/message/oyxfv73jb2g7rjg3
https://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E