You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@creadur.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2020/10/06 07:08:00 UTC

[jira] [Commented] (RAT-274) Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979

    [ https://issues.apache.org/jira/browse/RAT-274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17208521#comment-17208521 ] 

ASF subversion and git services commented on RAT-274:
-----------------------------------------------------

Commit 302835083247d51bdc27b202ab6998133c89f13a in creadur-rat's branch refs/heads/master from Hugo Hirsch
[ https://gitbox.apache.org/repos/asf?p=creadur-rat.git;h=3028350 ]

RAT-274: Update Ant - changelog.


> Update to at least Ant 1.10.8/1.9.15 in order to fix CVE-2020-11979
> -------------------------------------------------------------------
>
>                 Key: RAT-274
>                 URL: https://issues.apache.org/jira/browse/RAT-274
>             Project: Apache Rat
>          Issue Type: Improvement
>    Affects Versions: 0.14
>            Reporter: Philipp Ottlinger
>            Assignee: Philipp Ottlinger
>            Priority: Major
>
> In order to fix CVE-2020-11979 update to latest Ant:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> CVE-2020-11979: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.10.8
> Description:
> As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
> permissions of temporary files it created so that only the current user
> was allowed to access them. Unfortunately the fixcrlf task deleted the
> temporary file and created a new one without said protection,
> effectively nullifying the effort.
> This would still allow an attacker to inject modified source files into
> the build process.
> Mitigation:
> The best mitigation against CVE-2020-11979 and CVE-2020-1945 still is to
> make Ant use a directory that is only readable and writable by the
> current user.
> Ant users of versions 1.10.8 and 1.9.15 can use the Ant property
> ant.tmpdir to point to such a directory, users of versions 1.1 to 1.9.14
> and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property.
> Ant 1.10.9 will also try to create a temporary directory only accessible
> by the current user if neither of the properties above is set but may
> fail to create one if the underlying filesystem doesn't allow it.
> Explicitly setting up a directory to use and set the respective property
> is the only mitigation that will work on every platform.
> Credit:
> This issue was discovered by Mike Salvatore of the Ubuntu Security Team.
> References:
> [https://ant.apache.org/security.html]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> iEYEARECAAYFAl90uwAACgkQohFa4V9ri3J8zgCfWqCH+MkMdxt7Ewuqr2Qbu69T
> pAgAnRhd/0qTU3tZKpZZioF9twh/wWsZ
> =3wkI
> -----END PGP SIGNATURE-----



--
This message was sent by Atlassian Jira
(v8.3.4#803005)