| Name | CVE-2018-10886 |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1431-1, DSA-4255-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ant (PTS) | bullseye | 1.10.9-4 | fixed |
| bookworm | 1.10.13-1 | fixed |
| sid, trixie | 1.10.15-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ant | source | jessie | 1.9.4-3+deb8u1 | | DLA-1431-1 | |
| ant | source | stretch | 1.9.9-1+deb9u1 | | DSA-4255-1 | |
| ant | source | (unstable) | 1.10.4-1 | | | |
Notes
Fixed upstream in 1.9.12 and 1.10.4
https://github.com/apache/ant/commit/e56e54565804991c62ec76dad385d2bdda8972a7
https://github.com/apache/ant/commit/1a2b1e37e3616991588f21efa89c474dd6ff83ff
https://github.com/apache/ant/commit/f72406d53cfb3b3425cc9d000eea421a0e05d8fe
https://github.com/apache/ant/commit/857095da5153fd18504b46f276d84f1e76a66970
https://bugzilla.redhat.com/show_bug.cgi?id=1584407
The CVE was rejected, as it was assigned by Red Hat's CNA but is out of
scope of the assigning CNA. The rejection was not due to technical invalid
issue but because it was assigned by a CNA which did not cover the scope
for ant. Would fall under Apache CNA instead.