<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><span class="vcard"><a class="email" href="mailto:s.matveev@rosalinux.ru" title="Svyatoslav Matveev <s.matveev@rosalinux.ru>"> <span class="fn">Svyatoslav Matveev</span></a>
</span> changed
<a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - [CVE 21] junit4 4.11 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13258">bug 13258</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>CONFIRMED
</td>
<td>RESOLVED
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>---
</td>
<td>INVALID
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - [CVE 21] junit4 4.11 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13258#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED INVALID - [CVE 21] junit4 4.11 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13258">bug 13258</a>
from <span class="vcard"><a class="email" href="mailto:s.matveev@rosalinux.ru" title="Svyatoslav Matveev <s.matveev@rosalinux.ru>"> <span class="fn">Svyatoslav Matveev</span></a>
</span></b>
<pre>(In reply to Yury from <a href="show_bug.cgi?id=13258#c0">comment #0</a>)
<span class="quote">> Please patch CVEs for package junit4 version 4.11
> INFO (CVEs are): junit4 4.11 cves found
> CVE-2020-15250
> Desc: In JUnit4 from version 4.7 and before 4.13.1, the test rule
> TemporaryFolder contains a local information disclosure vulnerability. On
> Unix like systems, the system's temporary directory is shared between all
> users on that system. Because of this, when files and directories are
> written into this directory they are, by default, readable by other users on
> that same system. This vulnerability does not allow other users to overwrite
> the contents of these directories or files. This is purely an information
> disclosure vulnerability. This vulnerability impacts you if the JUnit tests
> write sensitive information, like API keys or passwords, into the temporary
> folder, and the JUnit tests execute in an environment where the OS has other
> untrusted users. Because certain JDK file system APIs were only added in JDK
> 1.7, this this fix is dependent upon the version of the JDK you are using.
> For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For
> Java 1.6 and lower users: no patch is available, you must use the workaround
> below. If you are unable to patch, or are stuck running on Java 1.6,
> specifying the `java.io.tmpdir` system environment variable to a directory
> that is exclusively owned by the executing user will fix this vulnerability.
> For more information, including an example of vulnerable code, see the
> referenced GitHub Security Advisory.
> Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-15250">https://nvd.nist.gov/vuln/detail/CVE-2020-15250</a>
> Severity: MEDIUM</span >
Удален из репозитория.
<a href="https://abf.io/import/junit4/commit/75e61458cdfa33a64d546d7185b6c55605e135c7">https://abf.io/import/junit4/commit/75e61458cdfa33a64d546d7185b6c55605e135c7</a></pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>