From ${URL} : Description Apache has acknowledged a vulnerability in Apache Ant, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is caused due to the application using a vulnerable version of the JavaDoc tool to generate documentation. For more information see vulnerability #38 in: SA53846 The vulnerability is reported in versions prior to 1.9.2. Solution: Update to version 1.9.2. Original Advisory: http://www.apache.org/dist/ant/RELEASE-NOTES-1.9.2.html https://issues.apache.org/bugzilla/show_bug.cgi?id=55132 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Ping, needs a bump.
CVE-2013-1571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1571): Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc.
+ 28 Aug 2013; Tom Wijsman <TomWij@gentoo.org> ant-tasks.eclass: + Made ant-tasks.eclass support newer versions of the 1.9 branch. + 28 Aug 2013; Tom Wijsman <TomWij@gentoo.org> +ant*-1.9.2.ebuild: + Version bump to 1.9.2. Fixes security bug #476958.
@java team: are we good to stabilize? and do we need any dependencies, or is stabilizing dev-java/ant* sufficient?
@java: ping
Thanks for the ping, I guess I thought about delaying it for a few days back then; but since we're more than a month later the testing is more than sufficient. Since I have used this every day and it works, please go ahead. Target keywords for ~dev-java/ant-1.9.2: amd64 ppc x86 Dependency stabilization list: ~dev-java/ant-antlr-1.9.2 ~dev-java/ant-apache-bcel-1.9.2 ~dev-java/ant-apache-bsf-1.9.2 ~dev-java/ant-apache-log4j-1.9.2 ~dev-java/ant-apache-oro-1.9.2 ~dev-java/ant-apache-regexp-1.9.2 ~dev-java/ant-apache-resolver-1.9.2 ~dev-java/ant-apache-xalan2-1.9.2 ~dev-java/ant-commons-logging-1.9.2 ~dev-java/ant-commons-net-1.9.2 ~dev-java/ant-core-1.9.2 ~dev-java/ant-jai-1.9.2 ~dev-java/ant-javamail-1.9.2 ~dev-java/ant-jdepend-1.9.2 ~dev-java/ant-jmf-1.9.2 ~dev-java/ant-jsch-1.9.2 ~dev-java/ant-junit-1.9.2 ~dev-java/ant-nodeps-1.9.2 ~dev-java/ant-swing-1.9.2 ~dev-java/ant-testutil-1.9.2 ~dev-java/ant-trax-1.9.2 For ppc64, it is unkeyworded, feel free to consider stabilization; bug #475846. No big bugs that seem to block any of this...
Stabilizing these packages/versions as well? The following keyword changes are necessary to proceed: (see "package.accept_keywords" in the portage(5) man page for more details) # required by dev-java/hamcrest-core-1.3 # required by dev-java/junit-4.11 # required by dev-java/ant-junit4-1.9.2 # required by dev-java/ant-testutil-1.9.2 # required by =dev-java/ant-testutil-1.9.2 (argument) =dev-java/hamcrest-generator-1.3-r1 ~x86 # required by dev-java/junit-4.11 # required by dev-java/ant-junit4-1.9.2 # required by dev-java/ant-testutil-1.9.2 # required by =dev-java/ant-testutil-1.9.2 (argument) =dev-java/hamcrest-core-1.3 ~x86 # required by dev-java/ant-testutil-1.9.2 # required by =dev-java/ant-testutil-1.9.2 (argument) =dev-java/junit-4.11 ~x86 # required by dev-java/ant-testutil-1.9.2 # required by =dev-java/ant-testutil-1.9.2 (argument) =dev-java/ant-junit4-1.9.2 ~x86 # required by dev-java/hamcrest-generator-1.3-r1 # required by dev-java/hamcrest-core-1.3 # required by dev-java/junit-4.11 # required by dev-java/ant-junit4-1.9.2 # required by dev-java/ant-testutil-1.9.2 # required by =dev-java/ant-testutil-1.9.2 (argument) =dev-java/qdox-1.12-r1 ~x86
(In reply to Myckel Habets from comment #7) > Stabilizing these packages/versions as well? > > =dev-java/hamcrest-generator-1.3-r1 > =dev-java/hamcrest-core-1.3 > =dev-java/junit-4.11 > =dev-java/ant-junit4-1.9.2 > =dev-java/qdox-1.12-r1 Affirmative, go ahead.
No problems encountered while arch testing all these packages on x86. Please mark stable for x86.
amd64 and x86 stable, thanks Myckel
ppc stable
ppc/ppc64 done
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA vote: No Closing as noglsa