CVE-2022-46751: Apache Ivy: XML External Entity vulnerability in Apache Ivy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Severity: moderate Affected versions: - - Apache Ivy 1.0.0 through 2.5.1 Description: Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide". Credit: CC Bomber, Kitri BoB (finder) Jenkins Security Team (reporter) References: https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-94ABC0EE-9DC8-44F0-84AD-47ADD5340477 https://gitbox.apache.org/repos/asf?p=ant-ivy.git;a=commit;h=2be17bc18b0e1d4123007d579e43ba1a4b6fab3d https://lists.apache.org/thread/9gcz4xrsn8c7o9gb377xfzvkb8jltffr https://ant.apache.org/ https://www.cve.org/CVERecord?id=CVE-2022-46751 Timeline: 2022-11-30: reported to the ASF security team 2023-08-20: made public -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAmTiYP0ACgkQohFa4V9ri3J5AACfQZlPRXWN0pU73Rm5o24EbBE+ cAoAn3XtnwhZYn395m1cw+9tadrX0oWv =d+kA -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
[ANN] Apache Ivy 2.5.2 Released
The Apache Ant Team is pleased to announce the release of Apache Ivy 2.5.2. Apache Ivy is a dependency manager focusing on flexibility and simplicity with strong integration into the Apache Ant build tool. Ivy 2.5.2 is bugfix release and addresses an XML external entity injection vulnerability, see the upcoming CVE announcement or https://ant.apache.org/ivy/security.html for details. Source and binary distributions are available for download from the Apache Ivy download site: https://ant.apache.org/ivy/download.cgi When downloading, please verify signatures using the KEYS file available at the above location when downloading the release. Changes in 2.5.2 include: = - FIX: ivy:retrieve could fail because of a `NullPointerException` (jira:IVY-1641[]) - FIX: reading POMs may loose dependencies when multiple Maven dependencies only differ in `classifier` (jira:IVY-1642[]) - IMPROVEMENT: Upgrade Apache HttpClient to 4.5.13 (jira:IVY-1644[]) - FIX: CVE-2022-46751: Apache Ivy Is Vulnerable to XML External Entity Injections For complete information on Ivy, including instructions on how to submit bug reports, patches, or suggestions for improvement, see the Apache Ivy website: https://ant.apache.org/ivy/ Stefan Bodewig, on behalf of the Apache Ant community - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
[RESULT] Release Ivy 2.5.2 Based on RC2
Hi with three binding +1s by Maarten, Jaikiran and myself, the vote has passed. I'll proceed with publishing the release artifacts and will announce the release after the mirros had time to catch up. Thanks to all who took a look at the release candidate Stefan - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
[RESULT] Release Apache Ant 1.10.14 based on RC1
With (binding) +1s for Stefan, Maarten, me and Paul (non-binding), this vote has now passed. I'll now go ahead with the rest of the release process. Thank you all for the help in moving this release forward. -Jaikiran On 16/08/23 6:05 pm, Jaikiran Pai wrote: Hello everyone, I've created RC1 release candidate for Ant 1.10.14 release: git tag: ANT_1.10.14_RC1 on commit: 53f19eccf49acf526415997046dca5a5135b0e8f tarballs: https://dist.apache.org/repos/dist/dev/ant/ revision: 63474 Maven artifacts: https://repository.apache.org/content/repositories/orgapacheant-1057 Apart from regular bug fixes, this 1.10.14 release has crucial changes around Ant's usage of Java SecurityManager. Many of you will be aware that Java 17 deprecated (for removal) the use of SecurityManager. Java 18 then disallowed setting SecurityManager at runtime, by default. Ant internally sets a SecurityManager at runtime to prevent System.exit() calls from within tasks, from killing the JVM in which Ant process is running. In Ant 1.10.13, we tried to keep using the SecurityManager internally for a few more releases in Ant, to facilitate projects to use Ant without requiring (major) changes to their build. The workarounds we put in place in Ant 1.10.13 were brittle and complex and although we had hoped they won't break user builds, they did end up breaking several builds. Ultimately, these workarounds for usage of SecurityManager are no longer feasible or adding value. As such, this 1.10.14 release of Ant will no longer use (or set) Java SecurityManager when running on Java versions 18 and higher. This has implications for projects using Ant. Specifically, if any of the build tasks (for example the "", "" or "" tasks) or libraries used in those tasks are calling System.exit() or Runtime.exit() and aren't forking a new JVM, then when running on Java 18 and higher, they may notice that the Ant JVM process gets killed. Such builds are recommended to either not call System.exit()/Runtime.exit() or use the "fork=true" option in relevant tasks (wherever appropriate). Furthermore, the usage of "" type when running on Java 18 and higher is no longer supported. More details are available in the manual of that type https://dist.apache.org/repos/dist/dev/ant/manual/. The complete set of changes in this release are noted in https://dist.apache.org/repos/dist/dev/ant/RELEASE-NOTES-1.10.14.html. Please do give this proposed release version a try against whichever Java runtime versions you plan to use it against (this version requires a minimum of Java 8 runtime, like any other Ant 1.10.x versions). Even if you don't vote, if you do run into issues, please report back - it takes time to create Ant releases, so catching any blocker issues (like some of which we saw after Ant 1.10.13 was released) early will help fix them sooner. This vote will be open for at least 72 hours and close no earlier than 19th August 2023 12 PM. -Jaikiran - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Re: [VOTE] Release Apache Ant 1.10.14 based on RC1
Thanks Jaikiran! Here is my vote: +1 Maarten Op woensdag 16 augustus 2023 om 14:35:43 CEST schreef Jaikiran Pai : Hello everyone, I've created RC1 release candidate for Ant 1.10.14 release: git tag: ANT_1.10.14_RC1 on commit: 53f19eccf49acf526415997046dca5a5135b0e8f tarballs: https://dist.apache.org/repos/dist/dev/ant/ revision: 63474 Maven artifacts: https://repository.apache.org/content/repositories/orgapacheant-1057 Apart from regular bug fixes, this 1.10.14 release has crucial changes around Ant's usage of Java SecurityManager. Many of you will be aware that Java 17 deprecated (for removal) the use of SecurityManager. Java 18 then disallowed setting SecurityManager at runtime, by default. Ant internally sets a SecurityManager at runtime to prevent System.exit() calls from within tasks, from killing the JVM in which Ant process is running. In Ant 1.10.13, we tried to keep using the SecurityManager internally for a few more releases in Ant, to facilitate projects to use Ant without requiring (major) changes to their build. The workarounds we put in place in Ant 1.10.13 were brittle and complex and although we had hoped they won't break user builds, they did end up breaking several builds. Ultimately, these workarounds for usage of SecurityManager are no longer feasible or adding value. As such, this 1.10.14 release of Ant will no longer use (or set) Java SecurityManager when running on Java versions 18 and higher. This has implications for projects using Ant. Specifically, if any of the build tasks (for example the "", "" or "" tasks) or libraries used in those tasks are calling System.exit() or Runtime.exit() and aren't forking a new JVM, then when running on Java 18 and higher, they may notice that the Ant JVM process gets killed. Such builds are recommended to either not call System.exit()/Runtime.exit() or use the "fork=true" option in relevant tasks (wherever appropriate). Furthermore, the usage of "" type when running on Java 18 and higher is no longer supported. More details are available in the manual of that type https://dist.apache.org/repos/dist/dev/ant/manual/. The complete set of changes in this release are noted in https://dist.apache.org/repos/dist/dev/ant/RELEASE-NOTES-1.10.14.html. Please do give this proposed release version a try against whichever Java runtime versions you plan to use it against (this version requires a minimum of Java 8 runtime, like any other Ant 1.10.x versions). Even if you don't vote, if you do run into issues, please report back - it takes time to create Ant releases, so catching any blocker issues (like some of which we saw after Ant 1.10.13 was released) early will help fix them sooner. This vote will be open for at least 72 hours and close no earlier than 19th August 2023 12 PM. -Jaikiran - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Re: [VOTE] Release Ivy 2.5.2 Based on RC2
Thanks Stefan! Here is my vote: +1 Maarten Op donderdag 17 augustus 2023 om 18:54:01 CEST schreef Stefan Bodewig : Hi all I've cancelled the previous vote as the NOTICE file didn't contain 2023. sorry about this. Now I've built a new release candidate for Ivy 2.5.2 Changelog: - FIX: ivy:retrieve could fail because of a `NullPointerException` (IVY-1641) - FIX: reading POMs may loose dependencies when multiple Maven dependencies only differ in `classifier` (IVY-1642) - IMPROVEMENT: Upgrade Apache HttpClient to 4.5.13 (IVY-1644) The release artifacts can be found at https://dist.apache.org/repos/dist/dev/ant/ivy/ (svn revision 63486) Maven Repo is https://repository.apache.org/content/repositories/orgapacheant-1061/org/apache/ivy/ivy/2.5.2/ Again I have not built the update site, but we never did for 2.5.1 either and it never bothered anybody. Do you vote for the release of these binaries? [ ] Yes [ ] No This vote will be open for 72 hours as usual, I'll close it on 2023-08-20 17:00 UTC. Thanks Stefan - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Bug report for Ant [2023/08/20]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 5003|Opn|Blk|2001-11-21|exec task does not return after executed command f| | 6606|Opn|Enh|2002-02-21|META-BUG problems with delegating classloaders| | 7552|Opn|Cri|2002-03-28|Invalid task cache in targets | | 7712|New|Enh|2002-04-03|Provide patternset support for VSSGET task? | | 8294|New|Enh|2002-04-19|: Allow and to app| | 8866|New|Enh|2002-05-07|Signal handling in java task | | 8895|New|Enh|2002-05-08|ant and/or antcall should support forking | | 8972|New|Enh|2002-05-10|allow property expansion in property v| | 8981|New|Enh|2002-05-10|Tar task command additional features | | 9294|New|Enh|2002-05-21|[PATCH] optional/j2ee/ServerDeploy OC4J Support | | 9995|Ass|Enh|2002-06-19|MKS Source Integrity tasks| |10020|New|Enh|2002-06-19|'s dependency behaviour should be more con| |10231|New|Enh|2002-06-25|Need access to current file in SQLExec| |10283|New|Enh|2002-06-27|Add a destfile to the uptodate task | |10402|New|Enh|2002-07-02|adding the ability of html like whitespace preserv| |3|New|Enh|2002-07-24|keytool task | |11560|Opn|Enh|2002-08-08|Taskdef does not apply reverseLoader policy on sta| |12267|New|Enh|2002-09-03|Add ability to unzip into separate folders| |12292|New|Enh|2002-09-04|[PATCH] enable tag inside tar| |12334|New|Enh|2002-09-05|REQUEST: Ant task doesn't allow attachment of a bu| |12518|New|Enh|2002-09-11|Gunzip & BUnZip2 add filesets, patternsets, and ov| |12765|New|Enh|2002-09-18|"rmdir" and "deltree" patches for ftp task enhance| |12964|New|Enh|2002-09-24|ANTLR only takes one input file at a time | |13047|Inf|Enh|2002-09-26|Support for and on O| |13371|New|Enh|2002-10-07|[PATCH] Contributed new CvsExportDiff task| |13847|New|Nor|2002-10-22|pvcs task: wrong option (-r) specified for get (sh| |13934|New|Enh|2002-10-24|Translate task shouldn't load default locale prope| |13939|New|Enh|2002-10-24|Translate task should have better key matching cap| |14320|New|Enh|2002-11-06|copy fileset followsymlinks="false" does not copy | |14393|New|Enh|2002-11-08|Support use of jndi within ant| |14512|New|Enh|2002-11-13|Allow creating database connection similar to with does not spot bad symlin| |15149|New|Enh|2002-12-06|Replace task | |15244|New|Enh|2002-12-10|tar task should be able to store symbolic links as| |15430|New|Enh|2002-12-17|Enhancement to ReplaceRegExp.java | |15596|New|Enh|2002-12-21|Identity mapper in uptodate task. | |15747|New|Enh|2003-01-01|change tasks (e.g. Ant) to take urls as well as fi| |15853|New|Enh|2003-01-07|Allow to plug-in different XML Catalog resolver in| |15949|Opn|Enh|2003-01-10|please provide links to docs.xml and jakarta-site2| |16131|New|Enh|2003-01-15|not possible to suppress "BUILD SUCCESSFUL" messag| |16427|New|Enh|2003-01-26|Output return value of setLastModified/document be| |16469|New|Enh|2003-01-27|Apply task should allow parallel execution on diff| |16562|New|Enh|2003-01-29|Can not accept characters from keyboard in a thre| |16860|New|Enh|2003-02-06|Silent or Debug a single target | |16896|New|Enh|2003-02-07|Support in ProjectHelper / ProjectHelperImpl to op| |17074|New|Enh|2003-02-14|Contribution for WLSTOP | |17181|New|Nor|2003-02-18|Build fails while trying to get VSS files by label| |17372|New|Enh|2003-02-25|Enhancement of replace Task | |17742|New|Maj|2003-03-06|PVCS task generates GET with promotion group incor| |17781|New|Enh|2003-03-07|name attribute of record task is not relative to b| |17829|New|Enh|2003-03-10|Allow ejbjar task to accept nested manifest | |17850|New|Nor|2003-03-10|PVCS task dont work with promotion group | |17961|New|Enh|2003-03-13|New task to collect services from a JAR