[
https://issues.apache.org/jira/browse/GROOVY-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King closed GROOVY-9788.
-----------------------------
> Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979)
> ------------------------------------------------------------
>
> Key: GROOVY-9788
> URL: https://issues.apache.org/jira/browse/GROOVY-9788
> Project: Groovy
> Issue Type: Dependency upgrade
> Affects Versions: 3.0.6
> Reporter: Angela Guardian
> Assignee: Paul King
> Priority: Major
> Fix For: 3.0.7, 4.0.0-alpha-2
>
>
> {quote}
> As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of
> temporary files it created so that only the current user was allowed to
> access them. Unfortunately the fixcrlf task deleted the temporary file and
> created a new one without said protection, effectively nullifying the effort.
> This would still allow an attacker to inject modified source files into the
> build process.
> {quote}
> [1] [CVE
> Reference|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979]
> [2] [Apache Ant Security Reports|https://ant.apache.org/security.html]
> Overall risk assessment for Groovy: *low*
> Details:
> * Groovy's internal usage of Ant is not affected by the above mentioned CVE.
> * We encourage Groovy users using Groovy in combination with Ant, e.g.
> {{AntBuilder}} to read the Apache Ant Security Report[1] and follow the
> mitigation advice. In particular, anyone using the {{fixcrlf}} Ant task
> should take note.
> * Recent Groovy versions, e.g. 3.0.6, have been built against Ant 1.10.8 but
> do not require that version and can safely be used with Ant 1.10.9 which has
> additional protections against the vulnerability mentioned in the CVE.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
