Summary: | <dev-java/ant-1.10.9: Insecure temporary file (CVE-2020-11979) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | fordfrog, java |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail-archives.apache.org/mod_mbox/ant-dev/202009.mbox/raw/%3C87lfgrb3el.fsf%40v45346.1blu.de%3E/ | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=723086 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
dev-java/ant-antlr-1.10.9 amd64 ppc64 x86
dev-java/ant-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-bcel-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-bsf-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-log4j-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-oro-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-regexp-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-resolver-1.10.9 amd64 ppc64 x86
dev-java/ant-apache-xalan2-1.10.9 amd64 ppc64 x86
dev-java/ant-commons-logging-1.10.9 amd64 ppc64 x86
dev-java/ant-commons-net-1.10.9 amd64 ppc64 x86
dev-java/ant-core-1.10.9
dev-java/ant-jai-1.10.9 amd64 ppc64 x86
dev-java/ant-javamail-1.10.9 amd64 ppc64 x86
dev-java/ant-jdepend-1.10.9 amd64 ppc64 x86
dev-java/ant-jmf-1.10.9 amd64 ppc64 x86
dev-java/ant-jsch-1.10.9 amd64 ppc64 x86
dev-java/ant-junit-1.10.9
dev-java/ant-junitlauncher-1.10.9
dev-java/ant-junit4-1.10.9
dev-java/ant-swing-1.10.9 amd64 ppc64 x86
dev-java/ant-testutil-1.10.9 amd64 ppc64 x86
dev-java/ant-xz-1.10.9
|
Runtime testing required: | --- |
Description
Sam James
2020-09-30 17:19:30 UTC
Please bump to 1.10.9. (In reply to Sam James from comment #1) > Please bump to 1.10.9. will bump it, probably this saturday, not sure if i get to it sooner but will try... (In reply to Miroslav Šulc from comment #2) > (In reply to Sam James from comment #1) > > Please bump to 1.10.9. > > will bump it, probably this saturday, not sure if i get to it sooner but > will try... No problem :) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8f81cda7fd2ef2867d07826499d246fe4d97937c commit 8f81cda7fd2ef2867d07826499d246fe4d97937c Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-10-01 18:14:49 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-10-01 18:16:06 +0000 dev-java/ant: bump to 1.10.9 Bug: https://bugs.gentoo.org/745768 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/ant/ant-1.10.9.ebuild | 47 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) probably should be safe to stabilize, leaving that for you to decide whether to stabilize it immediately or give it a day or two. Unable to check for sanity:
> no match for package: ant-antlr/ant-antlr-1.10.9
All sanity-check issues have been resolved (In reply to Miroslav Šulc from comment #5) > probably should be safe to stabilize, leaving that for you to decide whether > to stabilize it immediately or give it a day or two. I think we should be OK now, thank you as ever btw :) arm64 done amd64 stable ppc64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07845bfd65bcb03eb7e59299915acacf24bfc400 commit 07845bfd65bcb03eb7e59299915acacf24bfc400 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2020-10-15 07:41:38 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2020-10-15 07:41:38 +0000 dev-java/ant: removed vulnerable 1.10.8 Bug: https://bugs.gentoo.org/745768 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/ant/ant-1.10.8.ebuild | 47 ------------------------------------------ 1 file changed, 47 deletions(-) the tree is clean now, you can proceed :-) (In reply to Miroslav Šulc from comment #14) > the tree is clean now, you can proceed :-) Thank you! This issue was resolved and addressed in GLSA 202011-18 at https://security.gentoo.org/glsa/202011-18 by GLSA coordinator Aaron Bauman (b-man). |