search

AOSC-Dev / aosc-os-abbs

ABBS/ACBS tree for AOSC OS package metadata, build configuration, scripts, and patches
https://packages.aosc.io
GNU General Public License v2.0
102 stars 80 forks source link

apache-ant: security update to 1.10.4 #1210

Closed l2dy closed 6 years ago

l2dy commented 6 years ago

1.10.4 (unreleased)

Changes from Ant 1.10.3 TO Ant 1.10.4
=====================================

Changes that could break older environments:
-------------------------------------------

 * <unzip>, <unjar> and <untar> will no longer extract entries whose
   names would make the created files be placed outside of the
   destination directory anymore by default. A new attribute
   allowFilesToEscapeDest can be used to override the behavior.
   Another special case is when stripAbsolutePathSpec is false (which
   no longer is the default) and the entry's name starts with a
   (back)slash and allowFilesToEscapeDest hasn't been specified
   explicitly, in this case the file may be created outside of the
   dest directory as well.
   In addition stripAbsolutePathSpec is now true by default.
Based on a recommendation by the Snyk Security Research Team.
MingcongBai commented 6 years ago

1.10.4 is not yet released.

MingcongBai commented 6 years ago

Fix released.

MingcongBai commented 6 years ago

Fixed with https://github.com/AOSC-Dev/aosc-os-abbs/commit/77e06ce4b885e5b37b97d0f900883088dbcfaa78. Closing.

l2dy commented 6 years ago

Use AOSA-2018-0299.