Bug 26618

Summary:	ant new security issue CVE-2020-1945
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	ant-1.10.6-2.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2020-05-14 17:18:55 CEST

Apache has issued an advisory on May 13:
https://www.openwall.com/lists/oss-security/2020/05/13/1

The issue is mitigated in 1.10.8.

Mageia 7 is also affected.

David Walser 2020-05-14 17:19:09 CEST

Status comment: (none) => Fixed upstream in 1.10.8
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2020-05-22 22:18:12 CEST

Advisory:
Ant from mageia 7 is affected by a security issue, CVE-2020-1945

This update upgrades ant to version 1.10.8 to fix this.

References:


rpms:
ant-1.10.8-1.mga7
ant-lib-1.10.8-1.mga7
ant-jmf-1.10.8-1.mga7
ant-swing-1.10.8-1.mga7
ant-antlr-1.10.8-1.mga7
ant-apache-bsf-1.10.8-1.mga7
ant-apache-resolver-1.10.8-1.mga7
ant-commons-logging-1.10.8-1.mga7
ant-commons-net-1.10.8-1.mga7
ant-apache-bcel-1.10.8-1.mga7
ant-apache-log4j-1.10.8-1.mga7
ant-apache-oro-1.10.8-1.mga7
ant-apache-regexp-1.10.8-1.mga7
ant-apache-xalan2-1.10.8-1.mga7
ant-imageio-1.10.8-1.mga7
ant-javamail-1.10.8-1.mga7
ant-jdepend-1.10.8-1.mga7
ant-jsch-1.10.8-1.mga7
ant-junit-1.10.8-1.mga7
ant-junit5-1.10.8-1.mga7
ant-testutil-1.10.8-1.mga7
ant-xz-1.10.8-1.mga7
ant-manual-1.10.8-1.mga7
ant-javadoc-1.10.8-1.mga7

From:
ant-1.10.8-1.mga7

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 1.10.8 => (none)
CC: (none) => mageia
Assignee: java => qa-bugs

Comment 2 David Walser 2020-05-22 22:25:11 CEST

Advisory:
========================

Updated ant packages fix security vulnerability:

Apache Ant uses the default temporary directory identified by the Java system
property java.io.tmpdir for several tasks and may thus leak sensitive
information. The fixcrlf and replaceregexp tasks also copy files from the
temporary directory back into the build tree allowing an attacker to inject
modified source files into the build process (CVE-2020-1945).

The ant package has been updated to version 1.10.8 to fix this issue and other
bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945
https://ant.apache.org/security.html
https://ant.apache.org/antnews.html

Comment 3 Herman Viaene 2020-05-24 14:33:22 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
This is java developers stuff, so OK at clean install, unless someone else wants to have a go at it.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-26 03:09:05 CEST

Over my pay grade, that's for sure.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 14:48:23 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-05-27 20:18:43 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0237.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED