!18 打开自依赖编译

From: @lyn1001 Reviewed-by: @caodongxia Signed-off-by: @caodongxia
Restoring self-dependence
2023-11-21 11:49:45 +00:00 · 2023-11-21 16:14:34 +08:00 · 2023-11-21 08:01:45 +00:00 · 2023-11-21 15:36:17 +08:00 · 2022-02-28 09:11:54 +00:00 · 2022-02-26 17:46:02 +08:00
4 changed files with 44 additions and 2 deletions
--- a/CVE-2019-16370.patch
+++ b/CVE-2019-16370.patch
@ -0,0 +1,29 @@
+From f50bb2513f8880f75db2c2b3f1badbae856f6f85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+Date: Tue, 10 Sep 2019 14:37:35 +0300
+Subject: [PATCH] signing plugin: use SHA512 instead of SHA1 when signing
+ artifacts
+
+PGP signs a digest, so MITM is still possible provided an attacker can update
+the artifact in such a way that its SHA1 is intact.
+
+Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930
+
+Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>
+---
+ .../org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+index 5e022b5b5d077..3e212fe4a93d8 100644
+--- a/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+++ b/subprojects/signing/src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java
+@@ -104,7 +104,7 @@ private void writeSignatureTo(OutputStream signatureDestination, PGPSignature pg
+ 
+     public PGPSignatureGenerator createSignatureGenerator() {
+         try {
+-            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA1));
+            PGPSignatureGenerator generator = new PGPSignatureGenerator(new BcPGPContentSignerBuilder(secretKey.getPublicKey().getAlgorithm(), PGPUtil.SHA512));
+             generator.init(PGPSignature.BINARY_DOCUMENT, privateKey);
+             return generator;
+         } catch (PGPException e) {
--- a/gradle-bootstrap.sh
+++ b/gradle-bootstrap.sh
--- a/gradle.spec
+++ b/gradle.spec
@ -1,12 +1,12 @@
 %bcond_with bootstrap
 Name:                gradle
 Version:             4.4.1
-Release:             1
+Release:             5
 Summary:             Build automation tool
 License:             ASL 2.0
 URL:                 http://www.gradle.org/
 BuildArch:           noarch
-Source0:             http://services.gradle.org/distributions/gradle-%{version}-src.zip
+Source0:             https://github.com/gradle/gradle/archive/v%{version}.zip
 Source1:             http://services.gradle.org/versions/all#/all-released-versions.json
 Source2:             gradle-font-metadata.xml
 Source3:             gradle-jquery-metadata.xml
@ -40,6 +40,7 @@ Patch0015:           0015-Disable-docs-build.patch
 Patch0016:           0016-Port-to-guava-20.0.patch
 Patch0017:           0017-Set-core-api-source-level-to-8.patch
 Patch0018:           0018-Use-HTTPS-for-GoogleAPIs-repository.patch
+Patch0019:           CVE-2019-16370.patch
 BuildRequires:       git
 %if %{with bootstrap}
 BuildRequires:       groovy >= 2.3 javapackages-local
@ -237,6 +238,18 @@ install -p -m 644 man/gradle.1 %{buildroot}%{_mandir}/man1/gradle.1
 %license LICENSE NOTICE

 %changelog
+* Tue Nov 21 2023 liyanan <liyanan61@h-partners.com> - 4.4.1-5
+- Restoring self-dependence
+
+* Tue Nov 21 2023 liyanan <liyanan61@h-partners.com> - 4.4.1-4
+- Remove self-dependence
+
+* Fri Feb 25 2022 wangkai <wangkai385@huawei.com> - 4.4.1-3
+- Rebuild for fix log4j1.x cves
+
+* Tue Jul 27 2021 liwu <liwu13@huawei.com> - 4.4.1-2
+- fix CVE-2019-16370
+
 * Fri Sep 4 2020 chengzihan <chengzihan2@huawei.com> - 4.4.1-1
 - upgrade to 4.4.1-1

--- a/gradle-4.4.1-src.zip
+++ b/gradle-4.4.1-src.zip
Author	SHA1	Message	Date
openeuler-ci-bot	8b51c06b51	!18 打开自依赖编译 From: @lyn1001 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-11-21 11:49:45 +00:00
lyn1001	820f8da963	Restoring self-dependence	2023-11-21 16:14:34 +08:00
openeuler-ci-bot	77e1bb1a7d	!17 临时关闭自依赖解决ebs编译失败 From: @lyn1001 Reviewed-by: @caodongxia Signed-off-by: @caodongxia	2023-11-21 08:01:45 +00:00
lyn1001	1096e61840	Remove self-dependence	2023-11-21 15:36:17 +08:00
openeuler-ci-bot	70cc02661b	!14 [sync] PR-12: Rebuild for fix log4j1.x cves From: @openeuler-sync-bot Reviewed-by: @wangchong1995924 Signed-off-by: @wangchong1995924	2022-02-28 09:11:54 +00:00
wk333	559fb6e806	Rebuild for fix log4j1.x cves (cherry picked from commit 356bfa67afbeadd7915f013ddec19a5a1a1e0eeb)	2022-02-26 17:46:02 +08:00
openeuler-ci-bot	119d8be93f	!7 [sync] PR-6: CVE-2019-16370 From: @openeuler-sync-bot Reviewed-by: @wangchong1995924 Signed-off-by: @wangchong1995924	2021-07-29 07:33:49 +00:00
programmer12	839c46c31e	CVE-2019-16370 (cherry picked from commit 9708987f7916c16b377801bff814f5d43357bc84)	2021-07-29 09:48:05 +08:00
openeuler-ci-bot	6a65ae890c	!3 upgrade to 4.4.1-1 From: @chengzihan2 Reviewed-by: @yanzh_h Signed-off-by: @yanzh_h	2020-09-11 14:05:39 +08:00
chengzihan2	13d9590b39	upgrade to 4.4.1	2020-09-10 21:00:30 +08:00