Bug 27386

David Geiger updated Cauldron to 1.10.9 on October 21.

Fedora has issued an advisory for this on October 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/

CC: (none) => geiger.david68210
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

*** Bug 27725 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

new version pushed in mga7

src:
    -  ant-1.10.9-1.mga7

CC: (none) => mageia
Status comment: Fixed upstream in 1.10.9 => (none)
Assignee: java => qa-bugs

Advisory:
========================

Updated ant packages fix security vulnerability:

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of
temporary files it created so that only the current user was allowed to access
them. Unfortunately the fixcrlf task deleted the temporary file and created a
new one without said protection, effectively nullifying the effort. This would
still allow an attacker to inject modified source files into the build process
(CVE-2020-11979).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979
https://www.openwall.com/lists/oss-security/2020/09/30/6
https://ant.apache.org/security.html
========================

Updated packages in core/updates_testing:
========================
ant-1.10.9-1.mga7
ant-lib-1.10.9-1.mga7
ant-jmf-1.10.9-1.mga7
ant-swing-1.10.9-1.mga7
ant-antlr-1.10.9-1.mga7
ant-apache-bsf-1.10.9-1.mga7
ant-apache-resolver-1.10.9-1.mga7
ant-commons-logging-1.10.9-1.mga7
ant-commons-net-1.10.9-1.mga7
ant-apache-bcel-1.10.9-1.mga7
ant-apache-log4j-1.10.9-1.mga7
ant-apache-oro-1.10.9-1.mga7
ant-apache-regexp-1.10.9-1.mga7
ant-apache-xalan2-1.10.9-1.mga7
ant-imageio-1.10.9-1.mga7
ant-javamail-1.10.9-1.mga7
ant-jdepend-1.10.9-1.mga7
ant-jsch-1.10.9-1.mga7
ant-junit-1.10.9-1.mga7
ant-junit5-1.10.9-1.mga7
ant-testutil-1.10.9-1.mga7
ant-xz-1.10.9-1.mga7
ant-manual-1.10.9-1.mga7
ant-javadoc-1.10.9-1.mga7

from ant-1.10.9-1.mga7.src.rpm

The following 24 packages are going to be installed:

- ant-1.10.9-1.mga7.noarch
- ant-antlr-1.10.9-1.mga7.noarch
- ant-apache-bcel-1.10.9-1.mga7.noarch
- ant-apache-bsf-1.10.9-1.mga7.noarch
- ant-apache-log4j-1.10.9-1.mga7.noarch
- ant-apache-oro-1.10.9-1.mga7.noarch
- ant-apache-regexp-1.10.9-1.mga7.noarch
- ant-apache-resolver-1.10.9-1.mga7.noarch
- ant-apache-xalan2-1.10.9-1.mga7.noarch
- ant-commons-logging-1.10.9-1.mga7.noarch
- ant-commons-net-1.10.9-1.mga7.noarch
- ant-imageio-1.10.9-1.mga7.noarch
- ant-javadoc-1.10.9-1.mga7.noarch
- ant-javamail-1.10.9-1.mga7.noarch
- ant-jdepend-1.10.9-1.mga7.noarch
- ant-jmf-1.10.9-1.mga7.noarch
- ant-jsch-1.10.9-1.mga7.noarch
- ant-junit-1.10.9-1.mga7.noarch
- ant-junit5-1.10.9-1.mga7.noarch
- ant-lib-1.10.9-1.mga7.noarch
- ant-manual-1.10.9-1.mga7.noarch
- ant-swing-1.10.9-1.mga7.noarch
- ant-testutil-1.10.9-1.mga7.noarch
- ant-xz-1.10.9-1.mga7.noarch

All packages updated cleanly.

According to https://ant.apache.org/:

"Apache Ant is a Java library and command-line tool whose mission is to drive processes described in build files as targets and extension points dependent upon each other. The main known usage of Ant is the build of Java applications. "

In other words, developer stuff.

OKing and validating on a clean install. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0173.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED