A security issue fixed upstream in Ant 1.10.9 has been announced on September 30: https://www.openwall.com/lists/oss-security/2020/09/30/6 https://ant.apache.org/security.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 1.10.9
David Geiger updated Cauldron to 1.10.9 on October 21. Fedora has issued an advisory for this on October 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/U3NRQQ7ECII4ZNGW7GBC225LVYMPQEKB/
CC: (none) => geiger.david68210Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
*** Bug 27725 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
new version pushed in mga7 src: - ant-1.10.9-1.mga7
CC: (none) => mageiaStatus comment: Fixed upstream in 1.10.9 => (none)Assignee: java => qa-bugs
Advisory: ======================== Updated ant packages fix security vulnerability: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process (CVE-2020-11979). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979 https://www.openwall.com/lists/oss-security/2020/09/30/6 https://ant.apache.org/security.html ======================== Updated packages in core/updates_testing: ======================== ant-1.10.9-1.mga7 ant-lib-1.10.9-1.mga7 ant-jmf-1.10.9-1.mga7 ant-swing-1.10.9-1.mga7 ant-antlr-1.10.9-1.mga7 ant-apache-bsf-1.10.9-1.mga7 ant-apache-resolver-1.10.9-1.mga7 ant-commons-logging-1.10.9-1.mga7 ant-commons-net-1.10.9-1.mga7 ant-apache-bcel-1.10.9-1.mga7 ant-apache-log4j-1.10.9-1.mga7 ant-apache-oro-1.10.9-1.mga7 ant-apache-regexp-1.10.9-1.mga7 ant-apache-xalan2-1.10.9-1.mga7 ant-imageio-1.10.9-1.mga7 ant-javamail-1.10.9-1.mga7 ant-jdepend-1.10.9-1.mga7 ant-jsch-1.10.9-1.mga7 ant-junit-1.10.9-1.mga7 ant-junit5-1.10.9-1.mga7 ant-testutil-1.10.9-1.mga7 ant-xz-1.10.9-1.mga7 ant-manual-1.10.9-1.mga7 ant-javadoc-1.10.9-1.mga7 from ant-1.10.9-1.mga7.src.rpm
The following 24 packages are going to be installed: - ant-1.10.9-1.mga7.noarch - ant-antlr-1.10.9-1.mga7.noarch - ant-apache-bcel-1.10.9-1.mga7.noarch - ant-apache-bsf-1.10.9-1.mga7.noarch - ant-apache-log4j-1.10.9-1.mga7.noarch - ant-apache-oro-1.10.9-1.mga7.noarch - ant-apache-regexp-1.10.9-1.mga7.noarch - ant-apache-resolver-1.10.9-1.mga7.noarch - ant-apache-xalan2-1.10.9-1.mga7.noarch - ant-commons-logging-1.10.9-1.mga7.noarch - ant-commons-net-1.10.9-1.mga7.noarch - ant-imageio-1.10.9-1.mga7.noarch - ant-javadoc-1.10.9-1.mga7.noarch - ant-javamail-1.10.9-1.mga7.noarch - ant-jdepend-1.10.9-1.mga7.noarch - ant-jmf-1.10.9-1.mga7.noarch - ant-jsch-1.10.9-1.mga7.noarch - ant-junit-1.10.9-1.mga7.noarch - ant-junit5-1.10.9-1.mga7.noarch - ant-lib-1.10.9-1.mga7.noarch - ant-manual-1.10.9-1.mga7.noarch - ant-swing-1.10.9-1.mga7.noarch - ant-testutil-1.10.9-1.mga7.noarch - ant-xz-1.10.9-1.mga7.noarch All packages updated cleanly. According to https://ant.apache.org/: "Apache Ant is a Java library and command-line tool whose mission is to drive processes described in build files as targets and extension points dependent upon each other. The main known usage of Ant is the build of Java applications. " In other words, developer stuff. OKing and validating on a clean install. Advisory in Comment 4.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0173.html
Status: NEW => RESOLVEDResolution: (none) => FIXED