Design/Logic Flaw

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

Advisory ROSA-SA-2021-1805

Software: ant 1.9.4 OS: Cobalt 7.9 CVE-ID: CVE-2020-1945 CVE-Crit: MEDIUM CVE-DESC: Apache Ant 1.1 through 1.9.14 and 1.10.0 through 1.10.7 uses the default temporary directory defined by the Java system property java.io.tmpdir for several tasks, and thus may leak sensitive information. The fixcr...

Simple Application Security Integrations for DevOps

Explore why application security matters and how you can integrate it into your build process without added stress or interruption...

CVE-2021-20266

A flaw was found in RPM's hdrblobInit in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability...

CVE-2021-27851

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build...

Design/Logic Flaw

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build...

CVE-2021-27851 Local privilege escalation in GNU Guix via guix-daemon and '--keep-failed'

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build...

CVE-2021-27851

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build...

GNU Guix 后置链接漏洞

GNU Guix is an open source, cross-platform package manager for the GNU community. A backlink vulnerability exists in GNU guix-daemon that allows an unprivileged user to spawn a build process...

Privilege Escalation

bullseye is vulnerable to privilege escalation.The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build directory world-writable. The user then creates a hardlink to a root-owned file such as /etc/shadow in that build directory. ...

MGASA-2021-0173 Updated ant packages fix security vulnerability

Updated ant packages fix security vulnerability: As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one withou...

Maintain File Security during Compliance Scanning

Learn how to integrate security into the build process to protect downstream workflows from risk...

USN-4874-1 ant vulnerability

It was discovered that Apache Ant created temporary files with insecure permissions. An attacker could use this vulnerability to read sensitive information leaked into /tmp, or potentially inject malicious code into a project that is built with Apache Ant...

ant: insecure temporary file vulnerability

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build...

ant: insecure temporary file vulnerability

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build...

CVE-2021-21316 Arbitrary code execution in less-openui5

less-openui5 is an npm package which enables building OpenUI5 themes with Less.js. In less-openui5 before version 0.10., when processing theming resources i.e. .less files with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be execut...

GHSA-F62V-XPXF-3V68 Code injection in Apache Ant

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the...

Security update for go1.15 (moderate)

openSUSE Security Update: Security update for go1.15 Announcement ID: openSUSE-SU-2021:0192-1 Rating: moderate References: 1175132 1181145 1181146 Cross-References: CVE-2021-3114 CVE-2021-3115 Affected Products: openSUSE Leap 15.2 An update that solves two vulnerabilities and has one errata is no...

SUSE SLED15 / SLES15 Security Update : go1.15 (SUSE-SU-2021:0223-1)

This update for go1.15 fixes the following issues : Go was updated to version 1.15.7 bsc1175132. Security issues fixed : CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic bsc1181145. CVE-2021-3115: Fixed a potential arbitrary code execution in the build process...

SUSE SLED15 / SLES15 Security Update : go1.14 (SUSE-SU-2021:0222-1)

This update for go1.14 fixes the following issues : Go was updated to version 1.14.14 bsc1164903. Security issues fixed : CVE-2021-3114: Fixed incorrect operations on the P-224 curve in crypto/elliptic bsc1181145. CVE-2021-3115: Fixed a potential arbitrary code execution in the build process...