[ https://issues.apache.org/jira/browse/GROOVY-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul King updated GROOVY-9788: ------------------------------ Summary: Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979) (was: Bump Ant versions (fixes Apache Ant CVE 2020-11979)) > Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979) > ------------------------------------------------------------ > > Key: GROOVY-9788 > URL: https://issues.apache.org/jira/browse/GROOVY-9788 > Project: Groovy > Issue Type: Dependency upgrade > Affects Versions: 3.0.6 > Reporter: Angela Guardian > Priority: Major > > {quote}As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the > permissions of temporary files it created so that only the current user was > allowed to access them. Unfortunately the fixcrlf task deleted the temporary > file and created a new one without said protection, effectively nullifying > the effort. This would still allow an attacker to inject modified source > files into the build process. > {quote} > [Reference|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979] > [Apache Ant Security Reports|https://ant.apache.org/security.html] -- This message was sent by Atlassian Jira (v8.3.4#803005)