An update for ant is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1277 Final 1.0 1.0 2021-07-24 Initial 2021-07-24 2021-07-24 openEuler SA Tool V1.0 2021-07-24 ant security update An update for ant is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. Ant is a Java based build tool. In theory it is kind of like "make" without makes wrinkles and with the full portability of pure java code. Security Fix(es): When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.(CVE-2021-36373) When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.(CVE-2021-36374) An update for ant is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ant https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1277 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-36373 https://openeuler.org/en/security/cve/detail.html?id=CVE-2021-36374 https://nvd.nist.gov/vuln/detail/CVE-2021-36373 https://nvd.nist.gov/vuln/detail/CVE-2021-36374 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 ant-apache-regexp-1.10.8-4.oe1.noarch.rpm ant-lib-1.10.8-4.oe1.noarch.rpm ant-apache-resolver-1.10.8-4.oe1.noarch.rpm ant-commons-logging-1.10.8-4.oe1.noarch.rpm ant-apache-log4j-1.10.8-4.oe1.noarch.rpm ant-javamail-1.10.8-4.oe1.noarch.rpm ant-apache-oro-1.10.8-4.oe1.noarch.rpm ant-apache-xalan2-1.10.8-4.oe1.noarch.rpm ant-apache-bsf-1.10.8-4.oe1.noarch.rpm ant-antlr-1.10.8-4.oe1.noarch.rpm ant-jsch-1.10.8-4.oe1.noarch.rpm ant-xz-1.10.8-4.oe1.noarch.rpm ant-jmf-1.10.8-4.oe1.noarch.rpm ant-help-1.10.8-4.oe1.noarch.rpm ant-commons-net-1.10.8-4.oe1.noarch.rpm ant-junit-1.10.8-4.oe1.noarch.rpm ant-apache-bcel-1.10.8-4.oe1.noarch.rpm ant-jdepend-1.10.8-4.oe1.noarch.rpm ant-junit5-1.10.8-4.oe1.noarch.rpm ant-1.10.8-4.oe1.noarch.rpm ant-testutil-1.10.8-4.oe1.noarch.rpm ant-swing-1.10.8-4.oe1.noarch.rpm ant-imageio-1.10.8-4.oe1.noarch.rpm ant-apache-regexp-1.10.8-4.oe1.noarch.rpm ant-lib-1.10.8-4.oe1.noarch.rpm ant-apache-resolver-1.10.8-4.oe1.noarch.rpm ant-commons-logging-1.10.8-4.oe1.noarch.rpm ant-apache-log4j-1.10.8-4.oe1.noarch.rpm ant-javamail-1.10.8-4.oe1.noarch.rpm ant-apache-oro-1.10.8-4.oe1.noarch.rpm ant-apache-xalan2-1.10.8-4.oe1.noarch.rpm ant-apache-bsf-1.10.8-4.oe1.noarch.rpm ant-antlr-1.10.8-4.oe1.noarch.rpm ant-jsch-1.10.8-4.oe1.noarch.rpm ant-xz-1.10.8-4.oe1.noarch.rpm ant-jmf-1.10.8-4.oe1.noarch.rpm ant-help-1.10.8-4.oe1.noarch.rpm ant-commons-net-1.10.8-4.oe1.noarch.rpm ant-junit-1.10.8-4.oe1.noarch.rpm ant-apache-bcel-1.10.8-4.oe1.noarch.rpm ant-jdepend-1.10.8-4.oe1.noarch.rpm ant-junit5-1.10.8-4.oe1.noarch.rpm ant-1.10.8-4.oe1.noarch.rpm ant-testutil-1.10.8-4.oe1.noarch.rpm ant-swing-1.10.8-4.oe1.noarch.rpm ant-imageio-1.10.8-4.oe1.noarch.rpm ant-1.10.8-4.oe1.src.rpm ant-1.10.8-4.oe1.src.rpm When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected. 2021-07-24 CVE-2021-36373 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ant security update 2021-07-24 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1277 When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected. 2021-07-24 CVE-2021-36374 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ant security update 2021-07-24 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1277