[jira] [Commented] (MANTRUN-227) Upgrade Ant to 1.10.8

Tue, 15 Sep 2020 03:09:42 -0700 


    [ 
https://issues.apache.org/jira/browse/MANTRUN-227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17196028#comment-17196028
 ] 

Hudson commented on MANTRUN-227:
--------------------------------

Build failed in Jenkins: Maven » Maven TLP » maven-antrun-plugin » master #21

See 
https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-antrun-plugin/job/master/21/

> Upgrade Ant to 1.10.8
> ---------------------
>
>                 Key: MANTRUN-227
>                 URL: https://issues.apache.org/jira/browse/MANTRUN-227
>             Project: Maven Antrun Plugin
>          Issue Type: Dependency upgrade
>    Affects Versions: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 3.0.0
>            Reporter: Sylwester Lachiewicz
>            Priority: Major
>              Labels: Security
>             Fix For: 3.1.0
>
>
> Versions Affected: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
>  
> *Medium: insecure temporary file vulnerability* 
> [CVE-2020-1945|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945]
> Apache Ant uses the default temporary directory identified by the Java system 
> property {{java.io.tmpdir}} for several tasks and may thus leak sensitive 
> information. The fixcrlf and replaceregexp tasks also copy files from the 
> temporary directory back into the build tree allowing an attacker to inject 
> modified source files into the build process.
> *Mitigation:* Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should 
> set the java.io.tmpdir system property to point to a directory only readable 
> and writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property {{ant.tmpfile}} 
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files 
> if the underlying filesystem allows it, but we still recommend using a 
> private temporary directory instead.
> This was fixed in revisions 
> [9c1f4d905da59bf446570ac28df5b68a37281f35|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=9c1f4d905da59bf446570ac28df5b68a37281f35],
>  
> [041b058c7bf10a94d56db3ca9dba38cf90ab9943|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=041b058c7bf10a94d56db3ca9dba38cf90ab9943]
>  and 
> [a8645a151bc706259fb1789ef587d05482d98612|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=a8645a151bc706259fb1789ef587d05482d98612].
> This was first reported to the Security Team on 29 January 2020 and made 
> public on 13 May 2020
> Affects: until 1.10.7



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to