Bug#941187: gradle: CVE-2019-15052

2019-09-25 Thread Salvatore Bonaccorso 
Source: gradle
Version: 4.4.1-8
Severity: important
Tags: security upstream
Forwarded: https://github.com/gradle/gradle/issues/10278

Hi,

The following vulnerability was published for gradle.

CVE-2019-15052[0]:
| The HTTP client in Gradle before 5.6 sends authentication credentials
| originally destined for the configured host. If that host returns a
| 30x redirect, Gradle also sends those credentials to all subsequent
| hosts that the request redirects to. This is similar to
| CVE-2018-107.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-15052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15052
[1] https://github.com/gradle/gradle/issues/10278
[2] https://github.com/gradle/gradle/pull/10176
[3] https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
Init: sysvinit (via /sbin/init)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: gradle: CVE-2019-16370

2019-09-25 Thread Debian Bug Tracking System 
Processing control commands:

> found -1 4.4.1-6
Bug #941186 [src:gradle] gradle: CVE-2019-16370
Marked as found in versions gradle/4.4.1-6.

-- 
941186: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#941186: gradle: CVE-2019-16370

2019-09-25 Thread Salvatore Bonaccorso 
Source: gradle
Version: 4.4.1-8
Severity: important
Tags: security upstream
Forwarded: https://github.com/gradle/gradle/pull/10543
Control: found -1 4.4.1-6

Hi,

The following vulnerability was published for gradle.

CVE-2019-16370[0]:
| The PGP signing plugin in Gradle before 6.0 relies on the SHA-1
| algorithm, which might allow an attacker to replace an artifact with a
| different one that has the same SHA-1 message digest, a related issue
| to CVE-2005-4900.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16370
[1] https://github.com/gradle/gradle/pull/10543
[2] 
https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

cpptasks 1.0~b5-5 MIGRATED to testing

2019-09-25 Thread Debian testing watch 
FYI: The status of the cpptasks source package
in Debian's testing distribution has changed.

  Previous version: 1.0~b5-2
  Current version:  1.0~b5-5

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

bcel: status change on tests.reproducible-builds.org/debian

2019-09-25 Thread Reproducible builds folks 
2019-09-22 01:59 
https://tests.reproducible-builds.org/debian/unstable/amd64/bcel changed from 
reproducible -> FTBFS

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

stream-lib_2.9.8-1_amd64.changes is NEW

2019-09-25 Thread Debian FTP Masters 
binary:libstream-java is NEW.
binary:libstream-java is NEW.
source:stream-lib is NEW.

Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.

Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].

If there is an issue with the upload, you will receive an email from a
member of the ftpteam.

If you have any questions, you may reply to this email.

[1]: https://ftp-master.debian.org/new.html
 or https://ftp-master.debian.org/backports-new.html for *-backports

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of stream-lib_2.9.8-1_amd64.changes

2019-09-25 Thread Debian FTP Masters 
stream-lib_2.9.8-1_amd64.changes uploaded successfully to localhost
along with the files:
  stream-lib_2.9.8-1.dsc
  stream-lib_2.9.8.orig.tar.gz
  stream-lib_2.9.8-1.debian.tar.xz
  libstream-java_2.9.8-1_all.deb
  stream-lib_2.9.8-1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.