https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Bug ID: 1698508 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190409,reported=20190410,sou rce=internet,cvss3=8.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S: U/C:H/I:H/A:N,cwe=CWE-345,fedora-28/gradle=affected,fe dora-29/gradle=affected,epel-6/gradle=affected,jbews-3 /gradle=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: csutherl@redhat.com, dan@danieljamesscott.org, gzaronik@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jjelen@redhat.com, lgao@redhat.com, lkundrak@v3.sk, mbabacek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, myarboro@redhat.com, stewardship-sig@lists.fedoraproject.org, twalsh@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.
External Referencies: https://nvd.nist.gov/vuln/detail/CVE-2019-11065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
Upstream Repository: https://github.com/gradle/gradle/pull/8927
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1698509, 1698511, 1698510
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created gradle tracking bugs for this issue:
Affects: epel-6 [bug 1698511] Affects: fedora-28 [bug 1698509] Affects: fedora-29 [bug 1698510]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1698509 [Bug 1698509] CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-28] https://bugzilla.redhat.com/show_bug.cgi?id=1698510 [Bug 1698510] CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-29] https://bugzilla.redhat.com/show_bug.cgi?id=1698511 [Bug 1698511] CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1698508 Bug 1698508 depends on bug 1698511, which changed state.
Bug 1698511 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1698511
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1699296
https://bugzilla.redhat.com/show_bug.cgi?id=1698508 Bug 1698508 depends on bug 1698509, which changed state.
Bug 1698509 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-28] https://bugzilla.redhat.com/show_bug.cgi?id=1698509
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- gradle-4.3.1-9.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1698508 Bug 1698508 depends on bug 1698510, which changed state.
Bug 1698510 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-29] https://bugzilla.redhat.com/show_bug.cgi?id=1698510
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2019-09-10 12:45:32
--- Comment #4 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-11065
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
--- Doc Text *updated* by Kunjan Rathod krathod@redhat.com --- A flaw was discovered in Gradle where it uses an insecure HTTP URL to download dependencies which may cause dependency artifacts to be maliciously compromised by a Man-in-the-middle(MITM) attack
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
--- Doc Text *updated* by Kunjan Rathod krathod@redhat.com --- A flaw was discovered in Gradle where it uses an insecure HTTP URL to download dependencies which may cause dependency artifacts to be maliciously compromised by a Man-in-the-middle(MITM) attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1698508
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was discovered in Gradle, where it uses an insecure HTTP URL to download dependencies. This flaw causes dependency artifacts to be maliciously compromised by a Man-in-the-middle(MITM) attack.
java-sig-commits@lists.fedoraproject.org