Bug 23276

Summary: ant new arbitrary file write security issue (rhbz#1584407)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mhrambo3501
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ant-1.10.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2018-07-03 23:21:48 CEST 
Fedora has issued an advisory today (July 3):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/64OG345SY4HCX24PNWXYEJKFRMM2YT6C/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-07-03 23:22:45 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-07-24 21:48:33 CEST 
The issue was not fixed upstream in 1.9.12 and 1.10.4 as Ubuntu's CVE page suggested:
https://bugzilla.redhat.com/show_bug.cgi?id=1584407#c13

Follow-up fixes upstream are linked in the comment above.

Ubuntu has issued an advisory for this today (July 24):
https://usn.ubuntu.com/3721-1/

They used the CVE-2018-10886 that RedHat assigned, but that CVE was withdrawn as RedHat was not the proper CNA to assign a CVE for Apache Ant.
Comment 2 David Walser 2018-10-13 00:11:18 CEST 
openSUSE has issued an advisory for this on September 27:
https://lists.opensuse.org/opensuse-updates/2018-09/msg00154.html
Comment 3 David Walser 2019-01-01 04:38:07 CET 
ant-1.10.5-3.mga7 synced with Fedora 29 in Cauldron by David Geiger fixes this.

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 4 Mike Rambo 2019-11-06 13:31:25 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
CC: (none) => mrambo
Resolution: (none) => OLD