https://bugzilla.redhat.com/show_bug.cgi?id=1758992
Bug ID: 1758992 Summary: CVE-2019-16370 gradle: PGP signing plugin security bypass Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: csutherl@redhat.com, dan@danieljamesscott.org, decathorpe@gmail.com, gzaronik@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jjelen@redhat.com, lgao@redhat.com, lkundrak@v3.sk, mbabacek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, myarboro@redhat.com, twalsh@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
Reference: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b1... https://github.com/gradle/gradle/pull/10543
https://bugzilla.redhat.com/show_bug.cgi?id=1758992
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1758993, 1758994
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created gradle tracking bugs for this issue:
Affects: epel-6 [bug 1758994] Affects: fedora-all [bug 1758993]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1758993 [Bug 1758993] CVE-2019-16370 gradle: PGP signing plugin security bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1758994 [Bug 1758994] CVE-2019-16370 gradle: PGP signing plugin security bypass [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1758992
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1758996
https://bugzilla.redhat.com/show_bug.cgi?id=1758992
--- Comment #2 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Enterprise Web Server 3
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1758992
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2019-10-30 12:51:19
--- Comment #3 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-16370
https://bugzilla.redhat.com/show_bug.cgi?id=1758992 Bug 1758992 depends on bug 1758993, which changed state.
Bug 1758993 Summary: CVE-2019-16370 gradle: PGP signing plugin security bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1758993
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1758992 Bug 1758992 depends on bug 1758994, which changed state.
Bug 1758994 Summary: CVE-2019-16370 gradle: PGP signing plugin security bypass [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1758994
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org