Bug 2174854 (CVE-2023-26053) - CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subject to collision attacks
Summary: CVE-2023-26053 gradle: usage of long IDs for PGP keys is unsafe and is subjec...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-26053
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2174844
TreeView+ depends on / blocked
 
Reported: 2023-03-02 14:03 UTC by Borja Tarraso
Modified: 2023-11-14 17:26 UTC (History)
23 users (show)

Fixed In Version: gradle 6.9.4, gradle 7.6.1, gradle 8.0
Clone Of:
Environment:
Last Closed: 2023-06-29 15:52:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3809 0 None None None 2023-06-29 11:09:53 UTC

Description Borja Tarraso 2023-03-02 14:03:11 UTC 
This is a collision attack on long IDs (64bits) for PGP keys.

Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a trusted-key or pgp element in their dependency verification metadata file.

Grandle between 6.2 to 7.6 are impacted by this issue.
Comment 1 Chess Hazlett 2023-03-09 22:30:02 UTC 
quarkus looks to rebundle gradle in its launcher; amq-st ships a wrapper but not the actual code
Comment 4 errata-xmlrpc 2023-06-29 11:09:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809
Comment 5 Product Security DevOps Team 2023-06-29 15:52:16 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-26053
Note You need to log in before you can comment on or make changes to this bug.