UbuntuUpdates.org

Package "ant-optional"

Name: ant-optional

Description:

Java based build tool like make - optional libraries

Latest version: 1.9.6-1ubuntu1.1
Release: xenial (16.04)
Level: security
Repository: universe
Head package: ant
Homepage: http://ant.apache.org

Links


Download "ant-optional"


Other versions of "ant-optional" in Xenial

Repository Area Version
base universe 1.9.6-1ubuntu1
updates universe 1.9.6-1ubuntu1.1

Changelog

Version: 1.9.6-1ubuntu1.1 2018-07-24 20:06:38 UTC

  ant (1.9.6-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Fix ZipSlip vulnerability
    - debian/patches/CVE-2018-10886-1.patch: don't extract entires outside of
      the destination directory in
      src/main/org/apache/tools/ant/taskdefs/Expand.java,
      src/tests/antunit/taskdefs/unzip-test.xml
    - debian/patches/CVE-2018-10886-2.patch: Update the manual
      manual/Tasks/unzip.html
    - debian/patches/CVE-2018-10886-3.patch: Small update to the manual entry
      manual/Tasks/unzip.html
    - debian/patches/CVE-2018-10886-4.patch: Change stripAbsolutePathSpec's
      default value
      manual/Tasks/unzip.html
      src/main/org/apache/tools/ant/taskdefs/Expand.java
    - debian/patches/CVE-2018-10886-5.patch: add additional isLeadingPath
      method that resolves symlinks
      src/main/org/apache/tools/ant/util/FileUtils.java
      src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
    - debian/patches/CVE-2018-10886-6.patch: take symlinks into account when
      expanding archives and checking entries
      src/main/org/apache/tools/ant/taskdefs/Expand.java
    - CVE-2018-10886

 -- Mike Salvatore <email address hidden> Fri, 20 Jul 2018 13:55:37 -0400

CVE-2018-10886 ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to



About   -   Send Feedback to @ubuntu_updates