From ${URL} : Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. External Referencies: https://nvd.nist.gov/vuln/detail/CVE-2019-11065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065 Upstream Repository: https://github.com/gradle/gradle/pull/8927 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2019-15052 (https://nvd.nist.gov/vuln/detail/CVE-2019-15052): The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c814e2c0e7b8761f63a974ffda468d6652fa6b commit b0c814e2c0e7b8761f63a974ffda468d6652fa6b Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-04-30 23:37:02 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-04-30 23:38:21 +0000 dev-java/gradle-bin: Bump to version 6.3 and EAPI 7 Examples are no longer included but there is more documentation. Closes: https://bugs.gentoo.org/633546 Bug: https://bugs.gentoo.org/683032 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: James Le Cuirot <chewi@gentoo.org> dev-java/gradle-bin/Manifest | 1 + dev-java/gradle-bin/gradle-bin-6.3.ebuild | 49 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)
Thanks Chewi! @maintainer(s), please cleanup.
@maintainer(s), ping, please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20e4fe5ab78b490e6f47f01a9273178945565920 commit 20e4fe5ab78b490e6f47f01a9273178945565920 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:28:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:56 +0000 dev-java/gradle-bin: security cleanup Bug: https://bugs.gentoo.org/683032 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> dev-java/gradle-bin/Manifest | 3 -- dev-java/gradle-bin/gradle-bin-3.3.ebuild | 51 -------------------------- dev-java/gradle-bin/gradle-bin-3.4.1.ebuild | 51 -------------------------- dev-java/gradle-bin/gradle-bin-5.2.1.ebuild | 56 ----------------------------- 4 files changed, 161 deletions(-)
Tree is clean. Closing.