Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2023:3090-1

Опубликовано: 01 авг. 2023
Источник: suse-cvrf

Описание

Security update for guava

This update for guava fixes the following issues:

Upgrade to guava 32.0.1:

  • CVE-2020-8908: Fixed predictable temporary files and directories used in FileBackedOutputStream (bsc#1179926).
  • CVE-2023-2976: Fixed a temp directory creation vulnerability (bsc#1212401).

Список пакетов

Container bci/openjdk-devel:11
guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:17
guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:latest
guava-32.0.1-150200.3.7.1
Container suse/manager/5.0/x86_64/server:latest
guava-32.0.1-150200.3.7.1
Image server-image
guava-32.0.1-150200.3.7.1
SUSE Linux Enterprise Module for Development Tools 15 SP4
guava-32.0.1-150200.3.7.1
SUSE Linux Enterprise Module for Development Tools 15 SP5
guava-32.0.1-150200.3.7.1
SUSE Linux Enterprise Real Time 15 SP3
guava-32.0.1-150200.3.7.1
openSUSE Leap 15.4
guava-32.0.1-150200.3.7.1
guava-javadoc-32.0.1-150200.3.7.1
guava-testlib-32.0.1-150200.3.7.1
openSUSE Leap 15.5
guava-32.0.1-150200.3.7.1
guava-javadoc-32.0.1-150200.3.7.1
guava-testlib-32.0.1-150200.3.7.1

Ссылки

Описание

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Затронутые продукты
Container bci/openjdk-devel:11:guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:17:guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:latest:guava-32.0.1-150200.3.7.1
Container suse/manager/5.0/x86_64/server:latest:guava-32.0.1-150200.3.7.1
Ссылки

Описание

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Затронутые продукты
Container bci/openjdk-devel:11:guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:17:guava-32.0.1-150200.3.7.1
Container bci/openjdk-devel:latest:guava-32.0.1-150200.3.7.1
Container suse/manager/5.0/x86_64/server:latest:guava-32.0.1-150200.3.7.1
Ссылки