You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@creadur.apache.org by "Philipp Ottlinger (Jira)" <ji...@apache.org> on 2020/10/06 10:24:00 UTC
[jira] [Resolved] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in
order to fix CVE-2020-11979 / raise compiler level to JDK8
[ https://issues.apache.org/jira/browse/RAT-274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Philipp Ottlinger resolved RAT-274.
-----------------------------------
Resolution: Fixed
done. Travis and Jenkins works fine.
> Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979 / raise compiler level to JDK8
> --------------------------------------------------------------------------------------------------
>
> Key: RAT-274
> URL: https://issues.apache.org/jira/browse/RAT-274
> Project: Apache Rat
> Issue Type: Improvement
> Affects Versions: 0.14
> Reporter: Philipp Ottlinger
> Assignee: Philipp Ottlinger
> Priority: Major
> Fix For: 0.14
>
>
> In order to fix CVE-2020-11979 update to latest Ant:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> CVE-2020-11979: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.10.8
> Description:
> As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
> permissions of temporary files it created so that only the current user
> was allowed to access them. Unfortunately the fixcrlf task deleted the
> temporary file and created a new one without said protection,
> effectively nullifying the effort.
> This would still allow an attacker to inject modified source files into
> the build process.
> Mitigation:
> The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
> make Ant use a directory that is only readable and writable by the
> current user.
> Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
> ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
> and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.
> Ant 1.10.9 will also try to create a temporary directory only accessible
> by the current user if neither of the properties above is set but may
> fail to create one if the underlying filesystem doesn't allow it.
> Explicitly setting up a directory to use and set the respective property
> is the only mitigation that will work on every platform.
> Credit:
> This issue was discovered by Mike Salvatore of the Ubuntu Security Team.
> References:
> [https://ant.apache.org/security.html]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> iEYEARECAAYFAl90uwAACgkQohFa4V9ri3J8zgCfWqCH+MkMdxt7Ewuqr2Qbu69T
> pAgAnRhd/0qTU3tZKpZZioF9twh/wWsZ
> =3wkI
> -----END PGP SIGNATURE-----
--
This message was sent by Atlassian Jira
(v8.3.4#803005)