Your message dated Mon, 12 Oct 2020 15:48:33 +0000
with message-id <[email protected]>
and subject line Bug#971612: fixed in ant 1.10.9-1
has caused the Debian Bug report #971612,
regarding ant: CVE-2020-11979
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
971612: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971612
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ant
Version: 1.10.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for ant.
CVE-2020-11979[0]:
| As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the
| permissions of temporary files it created so that only the current
| user was allowed to access them. Unfortunately the fixcrlf task
| deleted the temporary file and created a new one without said
| protection, effectively nullifying the effort. This would still allow
| an attacker to inject modified source files into the build process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11979
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11979
[1]
https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ant
Source-Version: 1.10.9-1
Done: Emmanuel Bourg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ant, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <[email protected]> (supplier of updated ant package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Oct 2020 17:30:15 +0200
Source: ant
Architecture: source
Version: 1.10.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Emmanuel Bourg <[email protected]>
Closes: 971612
Changes:
ant (1.10.9-1) unstable; urgency=medium
.
* New upstream release
- Fixes CVE-2020-11979: Insecure temporary file (Closes: #971612)
Checksums-Sha1:
8e5de7f8518932d7f90e35784137fbdee9e98a26 2417 ant_1.10.9-1.dsc
dea2e85927e598a956a15d7a6fdf33b09f272c81 3341724 ant_1.10.9.orig.tar.xz
ad517ec0f1b5c6053141191357edf967ac9ef9b1 19652 ant_1.10.9-1.debian.tar.xz
505327c8703ef1437451c0fa23397b660ed606c4 9330 ant_1.10.9-1_source.buildinfo
Checksums-Sha256:
fe1e62c61dce551ce1c9a27899f5ecb359aca4b681c994a2a5984e32dfc6b442 2417
ant_1.10.9-1.dsc
f6fc5aeeeb414d7765691a5690131bd49bce305af698427c10fe2f3e48d895b3 3341724
ant_1.10.9.orig.tar.xz
387aaff9d75cb8ded257e9b42100d9751de6af910a7865ecaed821ec6f46f8b2 19652
ant_1.10.9-1.debian.tar.xz
659e9df5b6b0276fab2bac58c8429b3ca073c555a9356d8ef00efeb8d0ee71a5 9330
ant_1.10.9-1_source.buildinfo
Files:
dc683e8ed64feeec3de1f8015f2215d1 2417 java optional ant_1.10.9-1.dsc
85daeb5bb43658a842435f53ad5e2781 3341724 java optional ant_1.10.9.orig.tar.xz
029ec1e5f2588c3d0914797791805b27 19652 java optional ant_1.10.9-1.debian.tar.xz
cc6597d3b1ce20710697aa2d9cedb87d 9330 java optional
ant_1.10.9-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl+EdqwSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCso6YQALry1NqHY1cBZ+W95GGGZLS4NUw8f8Un
uDQ52rSq4whYnjOB0GdAWANoZFTVKvY/VzQ01eh6IGEldIU5Jvnv4GWsJ1bXN0QT
yAMkk1fOt/cTyH4P17aYii41LifoDuuN3l2RogG6hniNlneTSMexYyjer1NgE1U+
WaCguJuSBZGdZqw81kOImHdr8lBTy664JQAXG4W+w1kfewPMKL7lNc3W90Xo8dhZ
JgJ+iHKB88+IDeEo8GXwAO/F2/ckEXGxDc8Fo3AnIV4Fh70Uh61kwlWTfDeHK1he
DySTXPQD1oPsrQyBazayxTZsyYD7Vz6AL+YpAmeSrQ/jymyIDqoS7ITdAxqgc8BV
hAAAd9NegIrfM/OrMT9bXfrm45IHKzsl0KXw/W89f2Vl7+hgMXXKJ5AEdaDNKjDb
ZsQvomdHBofjqdrSFCINd0VjU988beLbQ7GbCzVWYtMGkzoZJeeKR2uSGZkIUDtb
H1bwGy3NpwEO8IoPRAqB5ezoG3fcGb458FTvnxMFUGXOxz5QIfU3cr6DZtupt/HL
0TePQLbxe3wvVNpfmzEE/QlchHgCvUQWOFfPy+zHBY0SyLPRwfa4oFFC2CIhxyGx
9o998dILn5rr3VE/Cgw5VxCcqHm89Bu6wLhNJdo7e0k0m1GBq6r82iOYyrKCypfv
mSPWKq4oPdUo
=I9nA
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
