Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 683032 (CVE-2019-11065, CVE-2019-15052) - <dev-java/gradle-bin-6.3: Multiple vulnerabilities (CVE-2019-{11065,15052})
Summary: <dev-java/gradle-bin-6.3: Multiple vulnerabilities (CVE-2019-{11065,15052})
Status: RESOLVED FIXED
Alias: CVE-2019-11065, CVE-2019-15052
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial with 1 vote (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on: 633546
Blocks: CVE-2019-16370
  Show dependency tree
 
Reported: 2019-04-10 15:16 UTC by Agostino Sarubbo
Modified: 2020-07-18 00:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-04-10 15:16:36 UTC
From ${URL} :

 Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle 
plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.

External Referencies:
https://nvd.nist.gov/vuln/detail/CVE-2019-11065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065

Upstream Repository:
https://github.com/gradle/gradle/pull/8927


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2020-04-20 00:28:40 UTC
CVE-2019-15052 (https://nvd.nist.gov/vuln/detail/CVE-2019-15052):
  The HTTP client in Gradle before 5.6 sends authentication credentials
  originally destined for the configured host. If that host returns a 30x
  redirect, Gradle also sends those credentials to all subsequent hosts that
  the request redirects to. This is similar to CVE-2018-1000007.
Comment 2 Larry the Git Cow gentoo-dev 2020-04-30 23:38:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c814e2c0e7b8761f63a974ffda468d6652fa6b

commit b0c814e2c0e7b8761f63a974ffda468d6652fa6b
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2020-04-30 23:37:02 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2020-04-30 23:38:21 +0000

    dev-java/gradle-bin: Bump to version 6.3 and EAPI 7
    
    Examples are no longer included but there is more documentation.
    
    Closes: https://bugs.gentoo.org/633546
    Bug: https://bugs.gentoo.org/683032
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>

 dev-java/gradle-bin/Manifest              |  1 +
 dev-java/gradle-bin/gradle-bin-6.3.ebuild | 49 +++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-05-05 22:25:49 UTC
Thanks Chewi!

@maintainer(s), please cleanup.
Comment 4 Sam James archtester gentoo-dev Security 2020-06-18 02:39:47 UTC
@maintainer(s), ping, please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2020-07-18 00:00:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20e4fe5ab78b490e6f47f01a9273178945565920

commit 20e4fe5ab78b490e6f47f01a9273178945565920
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-17 21:28:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 23:59:56 +0000

    dev-java/gradle-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/683032
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-java/gradle-bin/Manifest                |  3 --
 dev-java/gradle-bin/gradle-bin-3.3.ebuild   | 51 --------------------------
 dev-java/gradle-bin/gradle-bin-3.4.1.ebuild | 51 --------------------------
 dev-java/gradle-bin/gradle-bin-5.2.1.ebuild | 56 -----------------------------
 4 files changed, 161 deletions(-)
Comment 6 Sam James archtester gentoo-dev Security 2020-07-18 00:07:33 UTC
Tree is clean. Closing.