| Summary: | <dev-java/gradle-bin-6.3: Multiple vulnerabilities (CVE-2019-{11065,15052}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | chainsaw, dan, flo, java |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1698508 | ||
| Whiteboard: | ~3 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 633546 | ||
| Bug Blocks: | 711190 | ||
CVE-2019-15052 (https://nvd.nist.gov/vuln/detail/CVE-2019-15052): The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c814e2c0e7b8761f63a974ffda468d6652fa6b commit b0c814e2c0e7b8761f63a974ffda468d6652fa6b Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-04-30 23:37:02 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-04-30 23:38:21 +0000 dev-java/gradle-bin: Bump to version 6.3 and EAPI 7 Examples are no longer included but there is more documentation. Closes: https://bugs.gentoo.org/633546 Bug: https://bugs.gentoo.org/683032 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: James Le Cuirot <chewi@gentoo.org> dev-java/gradle-bin/Manifest | 1 + dev-java/gradle-bin/gradle-bin-6.3.ebuild | 49 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) Thanks Chewi! @maintainer(s), please cleanup. @maintainer(s), ping, please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20e4fe5ab78b490e6f47f01a9273178945565920 commit 20e4fe5ab78b490e6f47f01a9273178945565920 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:28:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:56 +0000 dev-java/gradle-bin: security cleanup Bug: https://bugs.gentoo.org/683032 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> dev-java/gradle-bin/Manifest | 3 -- dev-java/gradle-bin/gradle-bin-3.3.ebuild | 51 -------------------------- dev-java/gradle-bin/gradle-bin-3.4.1.ebuild | 51 -------------------------- dev-java/gradle-bin/gradle-bin-5.2.1.ebuild | 56 ----------------------------- 4 files changed, 161 deletions(-) Tree is clean. Closing. |
From ${URL} : Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. External Referencies: https://nvd.nist.gov/vuln/detail/CVE-2019-11065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065 Upstream Repository: https://github.com/gradle/gradle/pull/8927 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.