An update for guava is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1049 Final 1.0 1.0 2021-03-05 Initial 2021-03-05 2021-03-05 openEuler SA Tool V1.0 2021-03-05 guava security update An update for guava is now available for openEuler-20.03-LTS-SP1. Guava is a set of core Java libraries from Google that includes new collection types (such as multimap and multiset), immutable collections, a graph library, and utilities for concurrency, I/O, hashing, caching, primitives, strings, and more! It is widely used on most Java projects within Google, and widely used by many other companies as well. Security Fix(es): A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible.(CVE-2020-8908) An update for guava is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of low. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Low guava https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1049 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-8908 https://nvd.nist.gov/vuln/detail/CVE-2020-8908 openEuler-20.03-LTS-SP1 guava-help-25.0-5.oe1.noarch.rpm guava-testlib-25.0-5.oe1.noarch.rpm guava-25.0-5.oe1.noarch.rpm guava-25.0-5.oe1.src.rpm A temp directory creation vulnerability exist in Guava versions prior to 30.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava com.google.common.io.Files.createTempDir(). The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. We recommend updating Guava to version 30.0 or later, or update to Java 7 or later, or to explicitly change the permissions after the creation of the directory if neither are possible. 2021-03-05 CVE-2020-8908 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N guava security update 2021-03-05 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1049