[jira] [Comment Edited] (GROOVY-9788) Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979)

Wed, 21 Oct 2020 02:10:32 -0700 


    [ 
https://issues.apache.org/jira/browse/GROOVY-9788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218194#comment-17218194
 ] 

Paul King edited comment on GROOVY-9788 at 10/21/20, 9:09 AM:
--------------------------------------------------------------

Thanks for the suggestion. It should be in the next releases. I updated the 
description with some further information. Let me know if that sounds like it 
covers everything you had in mind.


was (Author: paulk):
Thanks for the suggestion. It should be in the next releases. I'll update the 
description with some more information.

> Bump Ant version to 1.10.9 (fixes Apache Ant CVE 2020-11979)
> ------------------------------------------------------------
>
>                 Key: GROOVY-9788
>                 URL: https://issues.apache.org/jira/browse/GROOVY-9788
>             Project: Groovy
>          Issue Type: Dependency upgrade
>    Affects Versions: 3.0.6
>            Reporter: Angela Guardian
>            Assignee: Paul King
>            Priority: Major
>             Fix For: 3.0.7, 4.0.0-alpha-2
>
>
> {quote}
> As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of 
> temporary files it created so that only the current user was allowed to 
> access them. Unfortunately the fixcrlf task deleted the temporary file and 
> created a new one without said protection, effectively nullifying the effort. 
> This would still allow an attacker to inject modified source files into the 
> build process.
> {quote}
> [1] [CVE 
> Reference|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979]
> [2] [Apache Ant Security Reports|https://ant.apache.org/security.html]
> Overall risk assessment for Groovy: *low*
> Details:
> * Groovy's internal usage of Ant is not affected by the above mentioned CVE.
> * We encourage Groovy users using Groovy in combination with Ant, e.g. 
> {{AntBuilder}} to read the Apache Ant Security Report[1] and follow the 
> mitigation advice. In particular, anyone using the {{fixcrlf}} Ant task 
> should take note.
> * Recent Groovy versions, e.g. 3.0.6, have been built against Ant 1.10.8 but 
> do not require that version and can safely be used with Ant 1.10.9 which has 
> additional protections against the vulnerability mentioned in the CVE.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to