Your message dated Tue, 10 Dec 2019 10:04:59 +0000
with message-id <[email protected]>
and subject line Bug#926923: fixed in gradle 4.4.1-10
has caused the Debian Bug report #926923,
regarding gradle: CVE-2019-11065
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926923: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926923
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gradle
Version: 4.4.1-5
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for gradle.
CVE-2019-11065[0]:
| Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download
| dependencies when the built-in JavaScript or CoffeeScript Gradle
| plugins are used. Dependency artifacts could have been maliciously
| compromised by a MITM attack against the ajax.googleapis.com web site.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11065
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
https://github.com/gradle/gradle/pull/8927
Cheers!
Sylvain Beucler
--- End Message ---
--- Begin Message ---
Source: gradle
Source-Version: 4.4.1-10
We believe that the bug you reported is fixed in the latest version of
gradle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hans-Christoph Steiner <[email protected]> (supplier of updated gradle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 10 Dec 2019 10:55:15 +0100
Source: gradle
Architecture: source
Version: 4.4.1-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Hans-Christoph Steiner <[email protected]>
Closes: 926923
Changes:
gradle (4.4.1-10) unstable; urgency=medium
.
* Team upload.
* use HTTPS URLs in packaging
* fix CVE-2019-11065 with upstream patch (Closes: 926923)
Checksums-Sha1:
5d46e5120535d7fe94b2b4160351925e63b864ab 2956 gradle_4.4.1-10.dsc
33bb3b4ac350ab7dc82d3d5df10ae4a5bd448cd5 54196 gradle_4.4.1-10.debian.tar.xz
cb8f085cf6d5207cfd0ea9eb29c937e6136a4779 16518 gradle_4.4.1-10_source.buildinfo
Checksums-Sha256:
2a943fa8031e845648a0b7ca1abdd64af410aac651bc7eaadc148e104f044330 2956
gradle_4.4.1-10.dsc
5037c0284f853155c90bfa3c6a7d5f97dd49c424a156bf4b64f33c28e0b88bf7 54196
gradle_4.4.1-10.debian.tar.xz
1be372a2bf59596ab4b36eaa83f94faa95decfe8c0f7daaddc2c59dc2e525dc8 16518
gradle_4.4.1-10_source.buildinfo
Files:
d0279711b7c1d5b86cd54e3d604bec6a 2956 java optional gradle_4.4.1-10.dsc
76d668249f220ff5f0d1508783cc6b4f 54196 java optional
gradle_4.4.1-10.debian.tar.xz
f31c1363c5f302357067f31bc625e19e 16518 java optional
gradle_4.4.1-10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEElyI52+aGmfUmwGoFPhd4F7obm/oFAl3vbJsACgkQPhd4F7ob
m/pLrAf/U/+uQCEszdgyRkzj2WxtBqJ/RXoKkkaRHd7YKuqpdwCIn9CmrYZ+jvxc
peZ6PMQaJtopYIBlYyrrv3aFCrQAM3g6Zzm+u3OB1+2TNMujCVNOGlxjYdbNWet/
v79ZEoz2l+wXfBYJdVXF2Q7QdpUC9KcrI1OV7peQUkdCJWtbkuSGoQC5V2nBCHBK
pKsXv5qXPWjJgPJ3NZHx7ocBYTY10qN1i4hhn2YlGft/GnlqPG7IDpBWGpyGzMW4
6BCjtgore/0sY+VK2POdnIWwiuPqTYDho7xHGAXMout35VDn4Zk8iPgSrJNs1C6V
Hbyy14m28nRpvxICiywSBco6G28QBA==
=hfmn
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
