"The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900."
The bug has been referenced in the following commit(s):
Author: Florian Schmaus <email@example.com>
AuthorDate: 2020-03-01 19:27:34 +0000
Commit: Florian Schmaus <firstname.lastname@example.org>
CommitDate: 2020-03-01 19:27:34 +0000
dev-java/gradle-bin: add 6.2.1
This release of gradle also includes a fix for CVE-2019-16370 ("PGP
signing should not use SHA1", gentoo bug #711190)
Signed-off-by: Florian Schmaus <email@example.com>
Package-Manager: Portage-2.3.84, Repoman-2.3.20
dev-java/gradle-bin/Manifest | 1 +
dev-java/gradle-bin/gradle-bin-6.2.1.ebuild | 55 +++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
Package has not stable ebuild.
Note: Commit above is from JAVA overlay, 6.x is not yet in Gentoo repository.
@ maintainer(s): Please share your plans for Gentoo repository with us!
Tree is clean. Closing.