<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] guava 25.0 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13529">13529</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] guava 25.0 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2020-8908, CVE-2023-2976,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>e.kosachev@rosalinux.ru, s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package guava version 25.0
INFO (CVEs are): guava 25.0
cves found
CVE-2020-8908
Desc: A temp directory creation vulnerability exists in all versions of Guava,
allowing an attacker with access to the machine to potentially access data in a
temporary directory created by the Guava API
com.google.common.io.Files.createTempDir(). By default, on unix-like systems,
the created directory is world-readable (readable by an attacker with access to
the system). The method in question has been marked @Deprecated in versions
30.0 and later and should not be used. For Android developers, we recommend
choosing a temporary directory API provided by Android, such as
context.getCacheDir(). For other Java developers, we recommend migrating to the
Java 7 API java.nio.file.Files.createTempDirectory() which explicitly
configures permissions of 700, or configuring the Java runtime's java.io.tmpdir
system property to point to a location whose permissions are appropriately
configured.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-8908">https://nvd.nist.gov/vuln/detail/CVE-2020-8908</a>
Severity: LOW
CVE-2023-2976
Desc: Use of Java's default temporary directory for file creation in
`FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems
and Android Ice Cream Sandwich allows other users and apps on the machine with
access to the default Java temporary directory to be able to access the files
created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend
using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-2976">https://nvd.nist.gov/vuln/detail/CVE-2023-2976</a>
Severity: HIGH</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>