[Commented] (MANTRUN-227) Upgrade Ant to 1.10.8

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[Commented] (MANTRUN-227) Upgrade Ant to 1.10.8

Elliotte Rusty Harold (Jira)

    [ https://issues.apache.org/jira/browse/MANTRUN-227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17196028#comment-17196028 ]

Hudson commented on MANTRUN-227:
--------------------------------

Build failed in Jenkins: Maven » Maven TLP » maven-antrun-plugin » master #21

See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-antrun-plugin/job/master/21/

> Upgrade Ant to 1.10.8
> ---------------------
>
>                 Key: MANTRUN-227
>                 URL: https://issues.apache.org/jira/browse/MANTRUN-227
>             Project: Maven Antrun Plugin
>          Issue Type: Dependency upgrade
>    Affects Versions: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 3.0.0
>            Reporter: Sylwester Lachiewicz
>            Priority: Major
>              Labels: Security
>             Fix For: 3.1.0
>
>
> Versions Affected: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
>  
> *Medium: insecure temporary file vulnerability* [CVE-2020-1945|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945]
> Apache Ant uses the default temporary directory identified by the Java system property {{java.io.tmpdir}} for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
> *Mitigation:* Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property to point to a directory only readable and writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property {{ant.tmpfile}} instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files if the underlying filesystem allows it, but we still recommend using a private temporary directory instead.
> This was fixed in revisions [9c1f4d905da59bf446570ac28df5b68a37281f35|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=9c1f4d905da59bf446570ac28df5b68a37281f35], [041b058c7bf10a94d56db3ca9dba38cf90ab9943|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=041b058c7bf10a94d56db3ca9dba38cf90ab9943] and [a8645a151bc706259fb1789ef587d05482d98612|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=a8645a151bc706259fb1789ef587d05482d98612].
> This was first reported to the Security Team on 29 January 2020 and made public on 13 May 2020
> Affects: until 1.10.7



--
This message was sent by Atlassian Jira
(v8.3.4#803005)