-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Apache Ant Team is pleased to announce the release of Apache Ivy 2.5.1.
Apache Ivy is a dependency manager focusing on flexibility and simplicity with strong integration into the Apache Ant build tool. Ivy 2.5.1 is bugfix release and addresses two path traversal vulnerabilities, see the upcoming CVE announcement or https://ant.apache.org/ivy/security.html for details. Source and binary distributions are available for download from the Apache Ivy download site: https://ant.apache.org/ivy/download.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Changes in 2.5.1 include: ========================= - - BREAKING: Removed old fr\jayasoft\ivy\ant\antlib.xml AntLib definition file (see IVY-1612) - - FIX: ResolveEngine resets dictator resolver to null in the global configuration (see IVY-1618) - - FIX: ConcurrentModificationException in MessageLoggerHelper.sumupProblems (see IVY-1628) - - FIX: useOrigin="true" fails with file-based ibiblio (see IVY-1616) - - FIX: ivy:retrieve Ant task didn't create an empty fileset when no files were retrieved to a non-empty directory (see IVY-1631) - - FIX: ivy:retrieve Ant task relied on the default HTTP header "Accept" which caused problems with servers that interpret it strictly (e.g. AWS CodeArtifact) (see IVY-1632) - - IMPROVEMENT: Ivy command now accepts a URL for the -settings option (see IVY-1615) - - FIX: CVE-2022-37865 allow create/overwrite any file on the system (see https://ant.apache.org/ivy/security.html) - - FIX: CVE-2022-37866 Path traversal in patterns (see https://ant.apache.org/ivy/security.html) For complete information on Ivy, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Ivy website: https://ant.apache.org/ivy/ Stefan Bodewig, on behalf of the Apache Ant community -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAmNk8ecACgkQohFa4V9ri3KZ5wCgqMKXyK121kiPGiRi1HsLckAi S+0Anjhk4KTIXfSbQVZEomvv6AxVBQ1W =XsJz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
