https://bugzilla.redhat.com/show_bug.cgi?id=1758992
Bug ID: 1758992 Summary: CVE-2019-16370 gradle: PGP signing plugin security bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: csutherl@redhat.com, dan@danieljamesscott.org, decathorpe@gmail.com, gzaronik@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jjelen@redhat.com, lgao@redhat.com, lkundrak@v3.sk, mbabacek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, myarboro@redhat.com, twalsh@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
Reference: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b1... https://github.com/gradle/gradle/pull/10543