[ubuntu/trusty-updates] ant 1.9.3-2ubuntu0.1 (Accepted)
Ubuntu Archive Robot
cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue Jul 24 17:28:39 UTC 2018
ant (1.9.3-2ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: Fix ZipSlip vulnerability
- debian/patches/CVE-2018-10886-1.patch: don't extract entires outside of
the destination directory in
src/main/org/apache/tools/ant/taskdefs/Expand.java,
src/tests/antunit/taskdefs/unzip-test.xml
- debian/patches/CVE-2018-10886-2.patch: Update the manual
manual/Tasks/unzip.html
- debian/patches/CVE-2018-10886-3.patch: Small update to the manual entry
manual/Tasks/unzip.html
- debian/patches/CVE-2018-10886-4.patch: Change stripAbsolutePathSpec's
default value
manual/Tasks/unzip.html
src/main/org/apache/tools/ant/taskdefs/Expand.java
- debian/patches/CVE-2018-10886-5.patch: add additional isLeadingPath
method that resolves symlinks
src/main/org/apache/tools/ant/util/FileUtils.java
src/tests/junit/org/apache/tools/ant/util/FileUtilsTest.java
- debian/patches/CVE-2018-10886-6.patch: take symlinks into account when
expanding archives and checking entries
src/main/org/apache/tools/ant/taskdefs/Expand.java
- CVE-2018-10886
Date: 2018-07-24 15:17:14.482645+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/ant/1.9.3-2ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list