[ https://issues.apache.org/jira/browse/HIVE-23583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Renukaprasad C updated HIVE-23583: ---------------------------------- Attachment: (was: HIVE-23583.01.patch) > Fix CVE-2020-1945: Apache Ant insecure temporary file vulnerability by > updating to latest ANT > --------------------------------------------------------------------------------------------- > > Key: HIVE-23583 > URL: https://issues.apache.org/jira/browse/HIVE-23583 > Project: Hive > Issue Type: Bug > Affects Versions: 3.1.2 > Reporter: Renukaprasad C > Assignee: Renukaprasad C > Priority: Major > Fix For: 4.0.0 > > Attachments: HIVE-23583.01.patch > > > Update ANT to fix: > CVE-2020-1945: Apache Ant insecure temporary file vulnerability > Severity: Medium > Vendor: > The Apache Software Foundation > Versions Affected: > Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 > Description: > Apache Ant uses the default temporary directory identified by the Java > system property java.io.tmpdir for several tasks and may thus leak > sensitive information. The fixcrlf and replaceregexp tasks also copy > files from the temporary directory back into the build tree allowing an > attacker to inject modified source files into the build process. > Mitigation: > Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the > java.io.tmpdir system property to point to a directory only readable and > writable by the current user prior to running Ant. > Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile > instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary > files if the underlying filesystem allows it, but we still recommend > using a private temporary directory instead. > References: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1945 > https://nvd.nist.gov/vuln/detail/CVE-2020-1945 -- This message was sent by Atlassian Jira (v8.3.4#803005)