You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/10/22 20:08:00 UTC

[jira] [Work logged] (HIVE-23583) Upgrade to ant 1.10.9 due to CVEs

     [ https://issues.apache.org/jira/browse/HIVE-23583?focusedWorklogId=503888&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-503888 ]

ASF GitHub Bot logged work on HIVE-23583:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 22/Oct/20 20:07
            Start Date: 22/Oct/20 20:07
    Worklog Time Spent: 10m 
      Work Description: risdenk opened a new pull request #1599:
URL: https://github.com/apache/hive/pull/1599


   ### What changes were proposed in this pull request?
   Upgrade ant 1.9.1 to 1.10.9 due to CVEs.
   
   
   ### Why are the changes needed?
   There are CVEs affecting ant 1.9.1
   
   
   ### Does this PR introduce _any_ user-facing change?
   No.
   
   
   ### How was this patch tested?
   Unit tests.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 503888)
    Remaining Estimate: 0h
            Time Spent: 10m

> Upgrade to ant 1.10.9 due to CVEs
> ---------------------------------
>
>                 Key: HIVE-23583
>                 URL: https://issues.apache.org/jira/browse/HIVE-23583
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 3.1.2
>            Reporter: Renukaprasad C
>            Assignee: Renukaprasad C
>            Priority: Major
>             Fix For: 4.0.0
>
>         Attachments: HIVE-23583.01.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Update ANT to fix:
> CVE-2020-1945: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
> Description:
> Apache Ant uses the default temporary directory identified by the Java
> system property java.io.tmpdir for several tasks and may thus leak
> sensitive information. The fixcrlf and replaceregexp tasks also copy
> files from the temporary directory back into the build tree allowing an
> attacker to inject modified source files into the build process.
> Mitigation:
> Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
> java.io.tmpdir system property to point to a directory only readable and
> writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
> files if the underlying filesystem allows it, but we still recommend
> using a private temporary directory instead.
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1945
> https://nvd.nist.gov/vuln/detail/CVE-2020-1945



--
This message was sent by Atlassian Jira
(v8.3.4#803005)