Date: Wed, 13 May 2020 18:38:16 +0200 From: Stefan Bodewig <bodewig@...che.org> To: dev@....apache.org, user@....apache.org, announce@...che.org, Mike Salvatore <mike.salvatore@...onical.com>, security@...che.org, oss-security@...ts.openwall.com Subject: [CVE-2020-1945] Apache Ant insecure temporary file vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2020-1945: Apache Ant insecure temporary file vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 Description: Apache Ant uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process. Mitigation: Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the java.io.tmpdir system property to point to a directory only readable and writable by the current user prior to running Ant. Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary files if the underlying filesystem allows it, but we still recommend using a private temporary directory instead. Credit: This issue was discovered by Mike Salvatore of the Ubuntu Security Team. References: https://ant.apache.org/security.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl68InYACgkQohFa4V9ri3JMuwCeJCxfVbb0FX7oVgzUpskGH28u ZIYAoLDKeuyh585wmuiCySIj5EW4hYch =KIJP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.