Bug 26618 - ant new security issue CVE-2020-1945
Summary: ant new security issue CVE-2020-1945
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-05-14 17:18 CEST by David Walser
Modified: 2020-05-27 20:18 CEST (History)
4 users (show)

See Also:
Source RPM: ant-1.10.6-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-14 17:18:55 CEST
Apache has issued an advisory on May 13:
https://www.openwall.com/lists/oss-security/2020/05/13/1

The issue is mitigated in 1.10.8.

Mageia 7 is also affected.
David Walser 2020-05-14 17:19:09 CEST

Status comment: (none) => Fixed upstream in 1.10.8
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2020-05-22 22:18:12 CEST
Advisory:
Ant from mageia 7 is affected by a security issue, CVE-2020-1945

This update upgrades ant to version 1.10.8 to fix this.

References:


rpms:
ant-1.10.8-1.mga7
ant-lib-1.10.8-1.mga7
ant-jmf-1.10.8-1.mga7
ant-swing-1.10.8-1.mga7
ant-antlr-1.10.8-1.mga7
ant-apache-bsf-1.10.8-1.mga7
ant-apache-resolver-1.10.8-1.mga7
ant-commons-logging-1.10.8-1.mga7
ant-commons-net-1.10.8-1.mga7
ant-apache-bcel-1.10.8-1.mga7
ant-apache-log4j-1.10.8-1.mga7
ant-apache-oro-1.10.8-1.mga7
ant-apache-regexp-1.10.8-1.mga7
ant-apache-xalan2-1.10.8-1.mga7
ant-imageio-1.10.8-1.mga7
ant-javamail-1.10.8-1.mga7
ant-jdepend-1.10.8-1.mga7
ant-jsch-1.10.8-1.mga7
ant-junit-1.10.8-1.mga7
ant-junit5-1.10.8-1.mga7
ant-testutil-1.10.8-1.mga7
ant-xz-1.10.8-1.mga7
ant-manual-1.10.8-1.mga7
ant-javadoc-1.10.8-1.mga7

From:
ant-1.10.8-1.mga7

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 1.10.8 => (none)
CC: (none) => mageia
Assignee: java => qa-bugs

Comment 2 David Walser 2020-05-22 22:25:11 CEST
Advisory:
========================

Updated ant packages fix security vulnerability:

Apache Ant uses the default temporary directory identified by the Java system
property java.io.tmpdir for several tasks and may thus leak sensitive
information. The fixcrlf and replaceregexp tasks also copy files from the
temporary directory back into the build tree allowing an attacker to inject
modified source files into the build process (CVE-2020-1945).

The ant package has been updated to version 1.10.8 to fix this issue and other
bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945
https://ant.apache.org/security.html
https://ant.apache.org/antnews.html
Comment 3 Herman Viaene 2020-05-24 14:33:22 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
This is java developers stuff, so OK at clean install, unless someone else wants to have a go at it.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-05-26 03:09:05 CEST
Over my pay grade, that's for sure.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Nicolas Lécureuil 2020-05-27 14:48:23 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-05-27 20:18:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0237.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.