Bug 1698510
Summary: | CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. [fedora-29] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marian Rehak <mrehak> |
Component: | gradle | Assignee: | Stewardship SIG <stewardship-sig> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 30 | CC: | dan, decathorpe, fcami, java-sig-commits, jjelen, lkundrak, mhroncok, mizdebsk, stewardship-sig |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | gradle-4.3.1-9.fc29 gradle-4.4.1-4.fc30 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-19 01:01:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1657836, 1675056 | ||
Bug Blocks: | 1698508 |
Description
Marian Rehak
2019-04-10 14:04:34 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=high # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1698508,1698510 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new I've commited fixes for Fedora 28 and 29. Fedora 30 and rawhide are blocked on FTBFS. I suspect the Stewardship SIG will talk about the f30/rawhide situation during our next meeting. Build failed on ARM32 with OOM: https://koji.fedoraproject.org/koji/taskinfo?taskID=34101529 I'll try to resubmit it until I hit a 64-bit builder. gradle-4.3.1-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9c15101fb gradle-4.3.1-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-a9c15101fb gradle-4.3.1-9.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. Fedora 28 and 29 were fixed in version 4.3.1 release 9, but Fedora 30 and later are still vulnerable. I'm reassigning the bug to package owner since I don't maintain Gradle in affected Fedora versions. Oh I thought we did this when we rebuilt gradle :( We should really at least do it in F30. I'll try to work on this later. Miro, do you remember which version of gradle I would have to submit as buildroot override to actually build the patched version? gradle-4.3.1-8.fc29 It looks like that trick doesn't work in released fedora: Invalid build. It must be tagged as either candidate or testing. :( https://bugzilla.redhat.com/show_bug.cgi?id=1657836#c3 > Possible workaround: > > Tag gradle-4.3.1 into rawhide before building newver version of gradle. > > $ koji tag-build f31-pending gradle-4.3.1-8.fc29 > $ koji wait-repo f31-build --build=gradle-4.3.1-8.fc29 > $ fedpkg build > > For F30: > > $ koji tag-build f30-updates-candidate gradle-4.3.1-8.fc29 > $ bodhi overrides save gradle-4.3.1-8.fc29 --wait > $ fedpkg build $ koji tag-build f31-pending gradle-4.3.1-8.fc29 --force Created task 36893514 Watching tasks (this may be safely interrupted)... 36893514 tagBuild (noarch): open (buildvm-29.phx2.fedoraproject.org) 36893514 tagBuild (noarch): open (buildvm-29.phx2.fedoraproject.org) -> closed 0 free 0 open 1 done 0 failed 36893514 tagBuild (noarch) completed successfully FEDORA-2019-1b6383acdd has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-1b6383acdd Thanks Miro, you're a Hero :+1: The patched version is submitted to fedora 30, but I can't actually update it on rawhide because of unresolved dependencies. And honestly I don't care about gradle anymore, since it's probably going to be retired soon. gradle-4.4.1-4.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-1b6383acdd gradle-4.4.1-4.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |