Hello community, here is the log from the commit of package gradle for openSUSE:Factory checked in at 2019-09-18 13:13:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gradle (Old) and /work/SRC/openSUSE:Factory/.gradle.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gradle" Wed Sep 18 13:13:03 2019 rev:7 rq:731532 version:3.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gradle/gradle.changes 2017-09-14 21:17:31.987004340 +0200 +++ /work/SRC/openSUSE:Factory/.gradle.new.7948/gradle.changes 2019-09-18 13:14:56.496645702 +0200 @@ -1,0 +2,14 @@ +Tue Sep 17 11:37:40 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Add LICENSE file to the correct tag + +------------------------------------------------------------------- +Tue Sep 17 11:31:39 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Security fix: [bsc#1150998, CVE-2019-16370] + * The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 + algorithm. PGP signing plugin might allow an attacker to replace + an artifact with a different one. +- Add gradle-CVE-2019-16370.patch + +------------------------------------------------------------------- New: ---- gradle-CVE-2019-16370.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gradle.spec ++++++ --- /var/tmp/diff_new_pack.AMY24y/_old 2019-09-18 13:14:59.624645044 +0200 +++ /var/tmp/diff_new_pack.AMY24y/_new 2019-09-18 13:14:59.624645044 +0200 @@ -1,7 +1,7 @@ # # spec file for package gradle # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -22,8 +22,9 @@ Summary: Groovy-based build system License: Apache-2.0 Group: Development/Tools -Url: http://www.gradle.org/ +Url: https://www.gradle.org/ Source0: https://github.com/gradle/gradle/archive/v%{version}.zip +Patch0: gradle-CVE-2019-16370.patch BuildRequires: java-devel BuildRequires: javapackages-tools BuildRequires: unzip @@ -49,6 +50,7 @@ %prep %setup -q +%patch0 -p1 %build # Build Open API subpackage @@ -71,7 +73,7 @@ %defattr(-,root,root,-) %{_javadir}/gradle-open-api-%{version}.jar %{_javadir}/gradle-open-api.jar -%doc LICENSE +%license LICENSE %doc subprojects/distributions/src/toplevel/NOTICE %changelog ++++++ gradle-CVE-2019-16370.patch ++++++ >From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001 From: Vladimir Sitnikov <[email protected]> Date: Tue, 10 Sep 2019 14:37:35 +0300 Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing artifacts PGP signs a digest, so MITM is still possible provided an attacker can update the artifact in such a way that its SHA1 is intact. Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930 Signed-off-by: Vladimir Sitnikov <[email protected]> --- .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java index 5e022b5b5d07..3e212fe4a93d 100644 --- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java +++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java @@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg public PGPSignatureGenerator createSignatureGenerator() { try { - PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1)); + PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512)); generator.init(PGPSignature.BINARY_DOCUMENT, privateKey); return generator; } catch (PGPException e) {
