Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gradle | Gradle | 1.4 (including) | 5.3.1 (including) |
| Gradle | Ubuntu | bionic | * |
| Gradle | Ubuntu | cosmic | * |
| Gradle | Ubuntu | disco | * |
| Gradle | Ubuntu | eoan | * |
| Gradle | Ubuntu | esm-apps-legacy/xenial | * |
| Gradle | Ubuntu | esm-apps/bionic | * |
| Gradle | Ubuntu | esm-apps/xenial | * |
| Gradle | Ubuntu | trusty | * |
| Gradle | Ubuntu | xenial | * |
References
- https://github.com/gradle/gradle/pull/8927
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVXOXNLAYRGPKAZV63PYNV3HF27JW2MW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43P7SVDJOG6OUDVFR4ZIDITZLNHPGTO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQ5CGOV5QVQCSPGE3WRZDKUGIXLHSZDR/
- https://github.com/gradle/gradle/pull/8927
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVXOXNLAYRGPKAZV63PYNV3HF27JW2MW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43P7SVDJOG6OUDVFR4ZIDITZLNHPGTO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQ5CGOV5QVQCSPGE3WRZDKUGIXLHSZDR/