[Bugs] [Bug 13258] [CVE 21] junit4 4.11 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 16:34:02 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13258

Svyatoslav Matveev <s.matveev на rosalinux.ru> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CONFIRMED                   |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Svyatoslav Matveev <s.matveev на rosalinux.ru> ---
(In reply to Yury from comment #0)
> Please patch CVEs for package junit4 version 4.11  
> INFO (CVEs are): junit4 4.11 cves found
> CVE-2020-15250
> Desc: In JUnit4 from version 4.7 and before 4.13.1, the test rule
> TemporaryFolder contains a local information disclosure vulnerability. On
> Unix like systems, the system's temporary directory is shared between all
> users on that system. Because of this, when files and directories are
> written into this directory they are, by default, readable by other users on
> that same system. This vulnerability does not allow other users to overwrite
> the contents of these directories or files. This is purely an information
> disclosure vulnerability. This vulnerability impacts you if the JUnit tests
> write sensitive information, like API keys or passwords, into the temporary
> folder, and the JUnit tests execute in an environment where the OS has other
> untrusted users. Because certain JDK file system APIs were only added in JDK
> 1.7, this this fix is dependent upon the version of the JDK you are using.
> For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For
> Java 1.6 and lower users: no patch is available, you must use the workaround
> below. If you are unable to patch, or are stuck running on Java 1.6,
> specifying the `java.io.tmpdir` system environment variable to a directory
> that is exclusively owned by the executing user will fix this vulnerability.
> For more information, including an example of vulnerable code, see the
> referenced GitHub Security Advisory.
> Link: https://nvd.nist.gov/vuln/detail/CVE-2020-15250
> Severity: MEDIUM

Удален из репозитория.
https://abf.io/import/junit4/commit/75e61458cdfa33a64d546d7185b6c55605e135c7

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/1c7939c2/attachment.html>

Подробная информация о списке рассылки Bugs