Security update for ant SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0703-1 Final 1 1 2020-05-23T18:14:17Z current 2020-05-23T18:14:17Z 2020-05-23T18:14:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ant This update for ant fixes the following issues: Security issue fixed: - CVE-2018-10886: Fixed a path traversal vulnerability in malformed zip file paths, which allowed arbitrary file writes and could potentially lead to code execution (bsc#1100053). Non-security issues fixed: - Add rhino to the ant-apache-bsf optional tasks (bsc#1134001). - Remove jakarta-commons-logging dependencies (bsc#1133997). - Use apache-commons-logging in optional tasks This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-703 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FYDYD3MZN2O2HWJJEJVQKW25G3BTTIHR/ E-Mail link for openSUSE-SU-2020:0703-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1100053 SUSE Bug 1100053 https://bugzilla.suse.com/1133997 SUSE Bug 1133997 https://bugzilla.suse.com/1134001 SUSE Bug 1134001 https://www.suse.com/security/cve/CVE-2018-10886/ SUSE CVE CVE-2018-10886 page openSUSE Leap 15.1 ant-1.9.10-lp151.4.3.1 ant-antlr-1.9.10-lp151.4.3.1 ant-apache-bcel-1.9.10-lp151.4.3.1 ant-apache-bsf-1.9.10-lp151.4.3.1 ant-apache-log4j-1.9.10-lp151.4.3.1 ant-apache-oro-1.9.10-lp151.4.3.1 ant-apache-regexp-1.9.10-lp151.4.3.1 ant-apache-resolver-1.9.10-lp151.4.3.1 ant-apache-xalan2-1.9.10-lp151.4.3.1 ant-commons-logging-1.9.10-lp151.4.3.1 ant-commons-net-1.9.10-lp151.4.3.1 ant-javamail-1.9.10-lp151.4.3.1 ant-jdepend-1.9.10-lp151.4.3.1 ant-jmf-1.9.10-lp151.4.3.1 ant-jsch-1.9.10-lp151.4.3.1 ant-junit-1.9.10-lp151.4.3.1 ant-manual-1.9.10-lp151.4.3.1 ant-scripts-1.9.10-lp151.4.3.1 ant-swing-1.9.10-lp151.4.3.1 ant-testutil-1.9.10-lp151.4.3.1 ant-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-antlr-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-bcel-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-bsf-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-log4j-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-oro-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-regexp-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-resolver-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-apache-xalan2-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-commons-logging-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-commons-net-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-javamail-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-jdepend-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-jmf-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-jsch-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-junit-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-manual-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-scripts-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-swing-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ant-testutil-1.9.10-lp151.4.3.1 as a component of openSUSE Leap 15.1 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate is not about any specific product, protocol, or design, that falls into the scope of the assigning CNA. Notes: None. CVE-2018-10886 openSUSE Leap 15.1:ant-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-antlr-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-bcel-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-bsf-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-log4j-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-oro-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-regexp-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-resolver-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-apache-xalan2-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-commons-logging-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-commons-net-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-javamail-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-jdepend-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-jmf-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-jsch-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-junit-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-manual-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-scripts-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-swing-1.9.10-lp151.4.3.1 openSUSE Leap 15.1:ant-testutil-1.9.10-lp151.4.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FYDYD3MZN2O2HWJJEJVQKW25G3BTTIHR/ https://www.suse.com/security/cve/CVE-2018-10886.html CVE-2018-10886 https://bugzilla.suse.com/1100053 SUSE Bug 1100053