Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 683032 (CVE-2019-11065, CVE-2019-15052)

Summary: <dev-java/gradle-bin-6.3: Multiple vulnerabilities (CVE-2019-{11065,15052})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: chainsaw, dan, flo, java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 633546    
Bug Blocks: 711190    

Description Agostino Sarubbo gentoo-dev 2019-04-10 15:16:36 UTC
From ${URL} :

 Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle 
plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.

External Referencies:
https://nvd.nist.gov/vuln/detail/CVE-2019-11065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065

Upstream Repository:
https://github.com/gradle/gradle/pull/8927


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:28:40 UTC
CVE-2019-15052 (https://nvd.nist.gov/vuln/detail/CVE-2019-15052):
  The HTTP client in Gradle before 5.6 sends authentication credentials
  originally destined for the configured host. If that host returns a 30x
  redirect, Gradle also sends those credentials to all subsequent hosts that
  the request redirects to. This is similar to CVE-2018-1000007.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-30 23:38:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c814e2c0e7b8761f63a974ffda468d6652fa6b

commit b0c814e2c0e7b8761f63a974ffda468d6652fa6b
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-04-30 23:37:02 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-04-30 23:38:21 +0000

    dev-java/gradle-bin: Bump to version 6.3 and EAPI 7
    
    Examples are no longer included but there is more documentation.
    
    Closes: https://bugs.gentoo.org/633546
    Bug: https://bugs.gentoo.org/683032
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 dev-java/gradle-bin/Manifest              |  1 +
 dev-java/gradle-bin/gradle-bin-6.3.ebuild | 49 +++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-05-05 22:25:49 UTC
Thanks Chewi!

@maintainer(s), please cleanup.
Comment 4 Sam James archtester gentoo-dev Security 2020-06-18 02:39:47 UTC
@maintainer(s), ping, please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2020-07-18 00:00:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20e4fe5ab78b490e6f47f01a9273178945565920

commit 20e4fe5ab78b490e6f47f01a9273178945565920
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:28:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:56 +0000

    dev-java/gradle-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/683032
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/gradle-bin/Manifest                |  3 --
 dev-java/gradle-bin/gradle-bin-3.3.ebuild   | 51 --------------------------
 dev-java/gradle-bin/gradle-bin-3.4.1.ebuild | 51 --------------------------
 dev-java/gradle-bin/gradle-bin-5.2.1.ebuild | 56 -----------------------------
 4 files changed, 161 deletions(-)
Comment 6 Sam James archtester gentoo-dev Security 2020-07-18 00:07:33 UTC
Tree is clean. Closing.