Summary: | <dev-java/ant-1.10.8: Insecure temporary file(s) (CVE-2020-1945) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alex, fordfrog, java, pavol.cupka |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://lists.apache.org/thread.html/r8e592bbfc016a5dbe2a8c0e81ff99682b9c78c453621b82c14e7b75e%40%3Cdev.ant.apache.org%3E | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=730456 https://bugs.gentoo.org/show_bug.cgi?id=745768 |
||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
=dev-java/ant-antlr-1.10.8 amd64 ppc64 x86
=dev-java/ant-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-bcel-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-bsf-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-log4j-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-oro-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-regexp-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-resolver-1.10.8 amd64 ppc64 x86
=dev-java/ant-apache-xalan2-1.10.8 amd64 ppc64 x86
=dev-java/ant-commons-logging-1.10.8 amd64 ppc64 x86
=dev-java/ant-commons-net-1.10.8 amd64 ppc64 x86
=dev-java/ant-core-1.10.8 amd64 arm64 ppc64 x86
=dev-java/ant-jai-1.10.8 amd64 ppc64 x86
=dev-java/ant-javamail-1.10.8 amd64 ppc64 x86
=dev-java/ant-jdepend-1.10.8 amd64 ppc64 x86
=dev-java/ant-jmf-1.10.8 amd64 ppc64 x86
=dev-java/ant-jsch-1.10.8 amd64 ppc64 x86
=dev-java/ant-junit-1.10.8 amd64 arm64 ppc64 x86
=dev-java/ant-junitlauncher-1.10.8 amd64 arm64 ppc64 x86
=dev-java/ant-junit4-1.10.8 amd64 arm64 ppc64 x86
=dev-java/ant-swing-1.10.8 amd64 ppc64 x86
=dev-java/ant-testutil-1.10.8 amd64 ppc64 x86
=dev-java/ant-xz-1.10.8 amd64 arm64 ppc64 x86
|
Runtime testing required: | --- |
Description
Sam James
2020-05-14 18:52:11 UTC
@maintainer(s), a bump to 1.10.8 may be easiest given it's in the same series? i just did the bump. if it is not urgent, i'd wait at least few days before stabilization is requested to catch any issues. i already prepared the list of the packages that will have to be stabilized so then we can just add the archs and stabilization keyword. (In reply to Miroslav Šulc from comment #2) > i just did the bump. if it is not urgent, i'd wait at least few days before > stabilization is requested to catch any issues. i already prepared the list > of the packages that will have to be stabilized so then we can just add the > archs and stabilization keyword. Thanks. How're we looking now? please stabilize (In reply to Miroslav Šulc from comment #4) > please stabilize Thank you! x86 stable amd64 stable arm64 stable ppc64 stable. Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cde1c726ba0cf23fbf05c4ef5dcf918b37c94b9 commit 6cde1c726ba0cf23fbf05c4ef5dcf918b37c94b9 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-07-20 08:56:15 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-07-20 09:06:04 +0000 dev-java/ant: removed old and vulnerable Bug: https://bugs.gentoo.org/723086 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/ant/ant-1.10.7.ebuild | 47 ------------------------------------------ 1 file changed, 47 deletions(-) Thanks! This issue was resolved and addressed in GLSA 202007-34 at https://security.gentoo.org/glsa/202007-34 by GLSA coordinator Sam James (sam_c). |