[Bugs] [Bug 13529] New: [CVE 21] guava 25.0 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 23:19:56 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13529

          Platform: 2021.1
            Bug ID: 13529
           Summary: [CVE 21] guava 25.0  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2020-8908, CVE-2023-2976,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package guava version 25.0

INFO (CVEs are): guava 25.0
 cves found
CVE-2020-8908
Desc: A temp directory creation vulnerability exists in all versions of Guava,
allowing an attacker with access to the machine to potentially access data in a
temporary directory created by the Guava API
com.google.common.io.Files.createTempDir(). By default, on unix-like systems,
the created directory is world-readable (readable by an attacker with access to
the system). The method in question has been marked @Deprecated in versions
30.0 and later and should not be used. For Android developers, we recommend
choosing a temporary directory API provided by Android, such as
context.getCacheDir(). For other Java developers, we recommend migrating to the
Java 7 API java.nio.file.Files.createTempDirectory() which explicitly
configures permissions of 700, or configuring the Java runtime's java.io.tmpdir
system property to point to a location whose permissions are appropriately
configured.


Link: https://nvd.nist.gov/vuln/detail/CVE-2020-8908
Severity: LOW
CVE-2023-2976
Desc: Use of Java's default temporary directory for file creation in
`FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems
and Android Ice Cream Sandwich allows other users and apps on the machine with
access to the default Java temporary directory to be able to access the files
created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend
using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2976
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/3e5693ab/attachment.html>

Подробная информация о списке рассылки Bugs