CVE-2022-37866: Apache Ivy: Ivy Path traversal

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Severity: medium Description: When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or ve

CVE-2022-37865: Apache Ivy allow create/overwrite any file on the system

Severity: medium Description: With Apache Ivy 2.4.0 an optional packaging attribute has been introduced that allows artifacts to be unpacked on the fly if they used pack200 or zip packaging. For artifacts using the "zip", "jar" or "war" packaging Ivy prior to 2.5.1 doesn't verify the target path

[ANN] Apache Ivy 2.5.1 Released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The Apache Ant Team is pleased to announce the release of Apache Ivy 2.5.1. Apache Ivy is a dependency manager focusing on flexibility and simplicity with strong integration into the Apache Ant build tool. Ivy 2.5.1 is bugfix release and addresses tw

[RESULT] Release Iyv 2.5.1 Based on RC1

Hi all with +1s by Jaikiran, Martijn and my own implicit one, the vote has passed. I'll start publishing the reease and send out the announcements soonish. Thanks to all who helped with the release Stefan - To unsubscribe, e-ma