Sylwester Lachiewicz created MANTRUN-227:
--------------------------------------------
Summary: Upgrade Ant to 1.10.8
Key: MANTRUN-227
URL: https://issues.apache.org/jira/browse/MANTRUN-227
Project: Maven Antrun Plugin
Issue Type: Dependency upgrade
Affects Versions: 3.0.0, 1.8, 1.7, 1.6, 1.5, 1.4, 1.3, 1.2, 1.1
Reporter: Sylwester Lachiewicz
Fix For: 3.1.0
Versions Affected: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
*Medium: insecure temporary file vulnerability*
[CVE-2020-1945|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945]
Apache Ant uses the default temporary directory identified by the Java system
property {{java.io.tmpdir}} for several tasks and may thus leak sensitive
information. The fixcrlf and replaceregexp tasks also copy files from the
temporary directory back into the build tree allowing an attacker to inject
modified source files into the build process.
*Mitigation:* Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should
set the java.io.tmpdir system property to point to a directory only readable
and writable by the current user prior to running Ant.
Users of versions 1.9.15 and 1.10.8 can use the Ant property {{ant.tmpfile}}
instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files if
the underlying filesystem allows it, but we still recommend using a private
temporary directory instead.
This was fixed in revisions
[9c1f4d905da59bf446570ac28df5b68a37281f35|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=9c1f4d905da59bf446570ac28df5b68a37281f35],
[041b058c7bf10a94d56db3ca9dba38cf90ab9943|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=041b058c7bf10a94d56db3ca9dba38cf90ab9943]
and
[a8645a151bc706259fb1789ef587d05482d98612|https://gitbox.apache.org/repos/asf?p=ant.git;a=commit;h=a8645a151bc706259fb1789ef587d05482d98612].
This was first reported to the Security Team on 29 January 2020 and made public
on 13 May 2020
Affects: until 1.10.7
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
