Source: gradle X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for gradle. CVE-2023-44387[0]: | Gradle is a build tool with a focus on build automation and support | for multi-language development. When copying or archiving symlinked | files, Gradle resolves them but applies the permissions of the | symlink itself instead of the permissions of the linked file to the | resulting file. This leads to files having too much permissions | given that symlinks usually are world readable and writeable. While | it is unlikely this results in a direct vulnerability for the | impacted build, it may open up attack vectors depending on where | build artifacts end up being copied to or un-archived. In versions | 7.6.3, 8.4 and above, Gradle will now properly use the permissions | of the file pointed at by the symlink to set permissions of the | copied or archived file. https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9 https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44387 https://www.cve.org/CVERecord?id=CVE-2023-44387 Please adjust the affected versions in the BTS as needed.