Emmanuel Bourg pushed to branch master at Debian Java Maintainers / gradle
Commits: dd78c4c4 by Emmanuel Bourg at 2023-01-22T01:31:20+01:00 Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186) - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2019-16370.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +gradle (4.4.1-18) unstable; urgency=medium + + * Team upload. + * Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186) + + -- Emmanuel Bourg <[email protected]> Sun, 22 Jan 2023 01:05:45 +0100 + gradle (4.4.1-17) unstable; urgency=medium * Team upload. ===================================== debian/patches/CVE-2019-16370.patch ===================================== @@ -0,0 +1,27 @@ +From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001 +From: Vladimir Sitnikov <[email protected]> +Date: Tue, 10 Sep 2019 14:37:35 +0300 +Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing + artifacts + +PGP signs a digest, so MITM is still possible provided an attacker can update +the artifact in such a way that its SHA1 is intact. + +Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930 + +Signed-off-by: Vladimir Sitnikov <[email protected]> +--- + .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java ++++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java +@@ -102,7 +102,7 @@ + + public PGPSignatureGenerator createSignatureGenerator() { + try { +- PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1)); ++ PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512)); + generator.init(PGPSignature.BINARY_DOCUMENT, privateKey); + return generator; + } catch (PGPException e) { ===================================== debian/patches/series ===================================== @@ -39,3 +39,4 @@ source-level.patch permit-illegal-access.patch java17-compatibility.patch auto-adjust-language-level.patch +CVE-2019-16370.patch View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff -- View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
