[
https://issues.apache.org/jira/browse/GROOVY-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King updated GROOVY-9788:
------------------------------
Summary: Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979)
(was: Bump Ant versions (fixes Apache Ant CVE 2020-11979))
> Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979)
> ------------------------------------------------------------
>
> Key: GROOVY-9788
> URL: https://issues.apache.org/jira/browse/GROOVY-9788
> Project: Groovy
> Issue Type: Dependency upgrade
> Affects Versions: 3.0.6
> Reporter: Angela Guardian
> Priority: Major
>
> {quote}As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
> permissions of temporary files it created so that only the current user was
> allowed to access them. Unfortunately the fixcrlf task deleted the temporary
> file and created a new one without said protection, effectively nullifying
> the effort. This would still allow an attacker to inject modified source
> files into the build process.
> {quote}
> [Reference|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979]
> [Apache Ant Security Reports|https://ant.apache.org/security.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
