| Summary: | <dev-java/gradle-bin-6.3: SHA1 collision in PGP plugin, possible malicious artifact (CVE-2019-16370) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | chainsaw, flo, java |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/gradle/gradle/pull/10543 | ||
| See Also: | https://github.com/gentoo/gentoo/pull/14961 | ||
| Whiteboard: | ~4 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 683032 | ||
| Bug Blocks: | |||
|
Description
Sam James
2020-03-01 17:46:41 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/java.git/commit/?id=b1ddb62a308af420f8ab1853235a9eb89d96d709 commit b1ddb62a308af420f8ab1853235a9eb89d96d709 Author: Florian Schmaus <flo@geekplace.eu> AuthorDate: 2020-03-01 19:27:34 +0000 Commit: Florian Schmaus <flo@geekplace.eu> CommitDate: 2020-03-01 19:27:34 +0000 dev-java/gradle-bin: add 6.2.1 This release of gradle also includes a fix for CVE-2019-16370 ("PGP signing should not use SHA1", gentoo bug #711190) Signed-off-by: Florian Schmaus <flo@geekplace.eu> Bug: https://bugs.gentoo.org/711190 Package-Manager: Portage-2.3.84, Repoman-2.3.20 dev-java/gradle-bin/Manifest | 1 + dev-java/gradle-bin/gradle-bin-6.2.1.ebuild | 55 +++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) Package has not stable ebuild. Note: Commit above is from JAVA overlay, 6.x is not yet in Gentoo repository. @ maintainer(s): Please share your plans for Gentoo repository with us! @maintainer(s): ping Tree is clean. Closing. |