Package "ant-optional"
Name: |
ant-optional
|
Description: |
Java based build tool like make - optional libraries
|
Latest version: |
1.9.6-1ubuntu1.1 |
Release: |
xenial (16.04) |
Level: |
security |
Repository: |
universe |
Head package: |
ant |
Homepage: |
http://ant.apache.org |
Links
Download "ant-optional"
Other versions of "ant-optional" in Xenial
Changelog
ant (1.9.6-1ubuntu1.1) xenial-security; urgency=medium
* SECURITY UPDATE: Fix ZipSlip vulnerability
- debian/patches/CVE-2018-10886-1.patch: don't extract entires outside of
the destination directory in
src/main/org/apache/tools/ant/taskdefs/Expand.java,
src/tests/antunit/taskdefs/unzip-test.xml
- debian/patches/CVE-2018-10886-2.patch: Update the manual
manual/Tasks/unzip.html
- debian/patches/CVE-2018-10886-3.patch: Small update to the manual entry
manual/Tasks/unzip.html
- debian/patches/CVE-2018-10886-4.patch: Change stripAbsolutePathSpec's
default value
manual/Tasks/unzip.html
src/main/org/apache/tools/ant/taskdefs/Expand.java
- debian/patches/CVE-2018-10886-5.patch: add additional isLeadingPath
method that resolves symlinks
src/main/org/apache/tools/ant/util/FileUtils.java
src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
- debian/patches/CVE-2018-10886-6.patch: take symlinks into account when
expanding archives and checking entries
src/main/org/apache/tools/ant/taskdefs/Expand.java
- CVE-2018-10886
-- Mike Salvatore <email address hidden> Fri, 20 Jul 2018 13:55:37 -0400
|
CVE-2018-10886 |
ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to |
|
About
-
Send Feedback to @ubuntu_updates