[Git][java-team/gradle][master] Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)
Emmanuel Bourg (@ebourg)
gitlab at salsa.debian.org
Sun Jan 22 00:43:30 GMT 2023
Emmanuel Bourg pushed to branch master at Debian Java Maintainers / gradle
Commits:
dd78c4c4 by Emmanuel Bourg at 2023-01-22T01:31:20+01:00
Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2019-16370.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+gradle (4.4.1-18) unstable; urgency=medium
+
+ * Team upload.
+ * Fixed CVE-2019-16370: No longer use SHA-1 for PGP signing (Closes: #941186)
+
+ -- Emmanuel Bourg <ebourg at apache.org> Sun, 22 Jan 2023 01:05:45 +0100
+
gradle (4.4.1-17) unstable; urgency=medium
* Team upload.
=====================================
debian/patches/CVE-2019-16370.patch
=====================================
@@ -0,0 +1,27 @@
+From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sitnikov <sitnikov.vladimir at gmail.com>
+Date: Tue, 10 Sep 2019 14:37:35 +0300
+Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
+ artifacts
+
+PGP signs a digest, so MITM is still possible provided an attacker can update
+the artifact in such a way that its SHA1 is intact.
+
+Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
+
+Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir at gmail.com>
+---
+ .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
++++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+@@ -102,7 +102,7 @@
+
+ public PGPSignatureGenerator createSignatureGenerator() {
+ try {
+- PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
++ PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
+ generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+ return generator;
+ } catch (PGPException e) {
=====================================
debian/patches/series
=====================================
@@ -39,3 +39,4 @@ source-level.patch
permit-illegal-access.patch
java17-compatibility.patch
auto-adjust-language-level.patch
+CVE-2019-16370.patch
View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff
--
View it on GitLab: https://salsa.debian.org/java-team/gradle/-/commit/dd78c4c4355ec11bda2caec9122491e20ee948ff
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230122/d71e21b8/attachment.htm>
More information about the pkg-java-commits
mailing list