gradle / CVE-2019-11065
Looking at Gradle in Jessie it looks like it has a number of http://
URLS instead of https:// URLS that look dicy.
There is this upstream patch that looks like it might be important and
also is missing from Jessie:
https://github.com/gradle/gradle/commit/b2b9606975bfe98418aef731b1fa006a03fde7d4
I have a suspicion all these references may not updating (or at least
the not commented ones):
buildSrc/build.gradle: //maven { url 'http://repo.gradle.org/gradle/libs' }
subprojects/internal-integ-testing/src/main/groovy/org/gradle/integtests/fixtures/executer/RedirectMavenCentral.groovy: url = "http://repo.gradle.org/gradle/repo1"
subprojects/docs/src/samples/toolingApi/idea/build.gradle: url 'http://repo.gradle.org/gradle/libs-releases-local'
subprojects/docs/src/samples/toolingApi/model/build.gradle: url 'http://repo.gradle.org/gradle/libs-releases-local'
subprojects/docs/src/samples/toolingApi/runBuild/build.gradle: url 'http://repo.gradle.org/gradle/libs-releases-local'
subprojects/docs/src/samples/toolingApi/eclipse/build.gradle: url 'http://repo.gradle.org/gradle/libs-releases-local'
subprojects/tooling-api/src/integTest/groovy/org/gradle/integtests/tooling/fixture/ToolingApiDistributionResolver.groovy: withRepository("http://repo.gradle.org/gradle/repo")
subprojects/tooling-api/src/integTest/groovy/org/gradle/integtests/tooling/ToolingApiIntegrationTest.groovy: maven { url "http://repo.gradle.org/gradle/repo" }
subprojects/javascript/src/main/groovy/org/gradle/plugins/javascript/base/JavaScriptRepositoriesExtension.java: public static final String GRADLE_PUBLIC_JAVASCRIPT_REPO_URL = "http://repo.gradle.org/gradle/javascript-public";
I notice that debian/patches/01_use_debian_jars.diff removes some
references, but there are still others that remain (as per above).
Having no experience with gradle however, not sure how important these
are.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: