Bug 10986

Summary: [Update Request] ant CVE-2020-11979
Product: [ROSA-based products] ROSA Fresh Reporter: Zombie Ryushu <zombie.ryushu>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: CONFIRMED --- QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: alzim, andrey.bondrov, denis.silakov, mc2374
Version: KDE4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://repology.org/project/ant/cves?version=1.10.1
Whiteboard:
Platform: 2016.1 ROSA Vulnerability identifier: CVE-2020-11979
RPM Package: ant-1.10.9-1.mga7 ISO-related:
Bad POT generating: Upstream:

Description Zombie Ryushu 2020-12-04 02:51:18 MSK 
CVE-2020-1945 2020-05-14T16:15Z 2020-11-26T09:15Z 	
apache
ant
	[1.1, 1.9.14] [1.10.0, 1.10.7]
CVE-2020-11979 2020-10-01T20:15Z 2020-11-16T05:15Z
Comment 1 Zombie Ryushu 2021-05-19 09:41:47 MSK 
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions
of temporary files it created so that only the current user was allowed
to access them. Unfortunately the fixcrlf task deleted the temporary file
and created a new one without said protection, effectively nullifying the
effort. This would still allow an attacker to inject modified source files
into the build process(CVE-2020-11979).