hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Risden (Jira)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-23583) Upgrade to ant 1.10.9 due to CVEs
Date Thu, 22 Oct 2020 20:08:00 GMT

    [ https://issues.apache.org/jira/browse/HIVE-23583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17219313#comment-17219313
] 

Kevin Risden commented on HIVE-23583:
-------------------------------------

Created a PR on master that upgrades to 1.10.9: https://github.com/apache/hive/pull/1599

> Upgrade to ant 1.10.9 due to CVEs
> ---------------------------------
>
>                 Key: HIVE-23583
>                 URL: https://issues.apache.org/jira/browse/HIVE-23583
>             Project: Hive
>          Issue Type: Bug
>    Affects Versions: 3.1.2
>            Reporter: Renukaprasad C
>            Assignee: Renukaprasad C
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 4.0.0
>
>         Attachments: HIVE-23583.01.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Update ANT to fix:
> CVE-2020-1945: Apache Ant insecure temporary file vulnerability
> Severity: Medium
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7
> Description:
> Apache Ant uses the default temporary directory identified by the Java
> system property java.io.tmpdir for several tasks and may thus leak
> sensitive information. The fixcrlf and replaceregexp tasks also copy
> files from the temporary directory back into the build tree allowing an
> attacker to inject modified source files into the build process.
> Mitigation:
> Ant users of versions 1.1 to 1.9.14 and 1.10.0 to 1.10.7 should set the
> java.io.tmpdir system property to point to a directory only readable and
> writable by the current user prior to running Ant.
> Users of versions 1.9.15 and 1.10.8 can use the Ant property ant.tmpfile
> instead. Users of Ant 1.10.8 can rely on Ant protecting the temporary
> files if the underlying filesystem allows it, but we still recommend
> using a private temporary directory instead.
> References:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1945
> https://nvd.nist.gov/vuln/detail/CVE-2020-1945



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message