Source: guava-libraries Version: 31.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for guava-libraries. CVE-2020-8908[0]: | A temp directory creation vulnerability exists in all versions of | Guava, allowing an attacker with access to the machine to | potentially access data in a temporary directory created by the | Guava API com.google.common.io.Files.createTempDir(). By default, on | unix-like systems, the created directory is world-readable (readable | by an attacker with access to the system). The method in question | has been marked @Deprecated in versions 30.0 and later and should | not be used. For Android developers, we recommend choosing a | temporary directory API provided by Android, such as | context.getCacheDir(). For other Java developers, we recommend | migrating to the Java 7 API | java.nio.file.Files.createTempDirectory() which explicitly | configures permissions of 700, or configuring the Java runtime's | java.io.tmpdir system property to point to a location whose | permissions are appropriately configured. CVE-2023-2976[1]: | Use of Java's default temporary directory for file creation in | `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on | Unix systems and Android Ice Cream Sandwich allows other users and | apps on the machine with access to the default Java temporary | directory to be able to access the files created by the class. Even | though the security vulnerability is fixed in version 32.0.0, we | recommend using version 32.0.1 as version 32.0.0 breaks some | functionality under Windows. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8908 https://www.cve.org/CVERecord?id=CVE-2020-8908 [1] https://security-tracker.debian.org/tracker/CVE-2023-2976 https://www.cve.org/CVERecord?id=CVE-2023-2976 Please adjust the affected versions in the BTS as needed. Regards, Salvatore