[ https://issues.apache.org/jira/browse/GROOVY-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218194#comment-17218194 ]
Paul King edited comment on GROOVY-9788 at 10/21/20, 9:09 AM: -------------------------------------------------------------- Thanks for the suggestion. It should be in the next releases. I updated the description with some further information. Let me know if that sounds like it covers everything you had in mind. was (Author: paulk): Thanks for the suggestion. It should be in the next releases. I'll update the description with some more information. > Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979) > ------------------------------------------------------------ > > Key: GROOVY-9788 > URL: https://issues.apache.org/jira/browse/GROOVY-9788 > Project: Groovy > Issue Type: Dependency upgrade > Affects Versions: 3.0.6 > Reporter: Angela Guardian > Assignee: Paul King > Priority: Major > Fix For: 3.0.7, 4.0.0-alpha-2 > > > {quote} > As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of > temporary files it created so that only the current user was allowed to > access them. Unfortunately the fixcrlf task deleted the temporary file and > created a new one without said protection, effectively nullifying the effort. > This would still allow an attacker to inject modified source files into the > build process. > {quote} > [1] [CVE > Reference|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979] > [2] [Apache Ant Security Reports|https://ant.apache.org/security.html] > Overall risk assessment for Groovy: *low* > Details: > * Groovy's internal usage of Ant is not affected by the above mentioned CVE. > * We encourage Groovy users using Groovy in combination with Ant, e.g. > {{AntBuilder}} to read the Apache Ant Security Report[1] and follow the > mitigation advice. In particular, anyone using the {{fixcrlf}} Ant task > should take note. > * Recent Groovy versions, e.g. 3.0.6, have been built against Ant 1.10.8 but > do not require that version and can safely be used with Ant 1.10.9 which has > additional protections against the vulnerability mentioned in the CVE. -- This message was sent by Atlassian Jira (v8.3.4#803005)