You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@creadur.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/07/03 10:00:19 UTC

[jira] [Commented] (RAT-269) Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest ANT

    [ https://issues.apache.org/jira/browse/RAT-269?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17150903#comment-17150903 ] 

ASF subversion and git services commented on RAT-269:
-----------------------------------------------------

Commit 5511240032240378ef52400bb8eabe89d1ba7648 in creadur-rat's branch refs/heads/feature/RAT-259 from Hugo Hirsch
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=5511240 ]

RAT-269: Update Apache ANT to fix CVE-2020-1945


> Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by updating to latest ANT
> ---------------------------------------------------------------------------------------------
>
>                 Key: RAT-269
>                 URL: https://issues.apache.org/jira/browse/RAT-269
>             Project: Apache Rat
>          Issue Type: Improvement
>    Affects Versions: 0.13
>            Reporter: Philipp Ottlinger
>            Assignee: Philipp Ottlinger
>            Priority: Major
>             Fix For: 0.14
>
>
> Update ANT to fix:
> CVE-2020-1945: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
> Description:
> Apache Ant uses the default temporary directory identified by the Java
> system property java.io.tmpdir for several tasks and may thus leak
> sensitive information. The fixcrlf and replaceregexp tasks also copy
> files from the temporary directory back into the build tree allowing an
> attacker to inject modified source files into the build process.
> Mitigation:
> Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
> java.io.tmpdir system property to point to a directory only readable and
> writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
> files if the underlying filesystem allows it, but we still recommend
> using a private temporary directory instead.
> Credit:
> This issue was discovered by Mike Salvatore of the Ubuntu Security Team.
> References:
> https://ant.apache.org/security.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)