Source: ant Version: 1.10.4-1 Severity: grave Tags: security upstream Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=62502 Control: fixed -1 1.10.5-1 Control: found -1 1.9.4-3+deb8u1
Hi To CVE-2018-10886 there was a followup due to incomplete fix in upstream 10.0.5 and 1.9.13: * the new allowFilesToEscapeDest didn't work when set to false and archive entries contained relative paths with so many ".." segnments that the resulting path would go beyond the file system root. Bugzilla Report 62502 Cf. https://bz.apache.org/bugzilla/show_bug.cgi?id=62502 https://github.com/apache/ant/commit/6a41d62cb9ab4e640b72cb4de42a6c211dea645d https://github.com/apache/ant/commit/5a8c37b271677587046bfd0fea18c1675d5a6300 I requested a CVE for the incomplete fix. Regards, Salvatore
