You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Stefan Bodewig <bo...@apache.org> on 2022/11/04 11:05:11 UTC

[ANN] Apache Ivy 2.5.1 Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Apache Ant Team is pleased to announce the release of Apache Ivy
2.5.1.

Apache Ivy is a dependency manager focusing on flexibility and
simplicity with strong integration into the Apache Ant build tool.

Ivy 2.5.1 is bugfix release and addresses two path traversal
vulnerabilities, see the upcoming CVE announcement or
https://ant.apache.org/ivy/security.html for details.

Source and binary distributions are available for download from the
Apache Ivy download site:

https://ant.apache.org/ivy/download.cgi

When downloading, please verify signatures using the KEYS file available
at the above location when downloading the release.

Changes in 2.5.1 include:
=========================

- - BREAKING: Removed old fr\jayasoft\ivy\ant\antlib.xml AntLib definition file (see IVY-1612)
- - FIX: ResolveEngine resets dictator resolver to null in the global configuration (see IVY-1618)
- - FIX: ConcurrentModificationException in MessageLoggerHelper.sumupProblems (see IVY-1628)
- - FIX: useOrigin="true" fails with file-based ibiblio (see IVY-1616)
- - FIX: ivy:retrieve Ant task didn't create an empty fileset when no files were retrieved to a non-empty directory (see IVY-1631)
- - FIX: ivy:retrieve Ant task relied on the default HTTP header "Accept" which caused problems with servers that interpret it strictly (e.g. AWS CodeArtifact) (see IVY-1632)

- - IMPROVEMENT: Ivy command now accepts a URL for the -settings option (see IVY-1615)
- - FIX: CVE-2022-37865 allow create/overwrite any file on the system (see https://ant.apache.org/ivy/security.html)
- - FIX: CVE-2022-37866 Path traversal in patterns (see https://ant.apache.org/ivy/security.html)

For complete information on Ivy, including instructions on how to submit
bug reports, patches, or suggestions for improvement, see the Apache Ivy
website:

https://ant.apache.org/ivy/

Stefan Bodewig, on behalf of the Apache Ant community
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAmNk8ecACgkQohFa4V9ri3KZ5wCgqMKXyK121kiPGiRi1HsLckAi
S+0Anjhk4KTIXfSbQVZEomvv6AxVBQ1W
=XsJz
-----END PGP SIGNATURE-----