Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency gradle/gradle to v8.12.0 #9230

Merged
merged 1 commit into from
Dec 20, 2024

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
gradle/gradle minor 8.11.1 -> 8.12.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

gradle/gradle (gradle/gradle)

v8.12.0: 8.12

Compare Source

The Gradle team is excited to announce Gradle 8.12.

Read the Release Notes

We would like to thank the following community members for their contributions to this release of Gradle:
Abhiraj Adhikary,
Ayush Saxena,
Björn Kautler,
davidburstrom,
Dominic Fellbaum,
Emmanuel Ferdman,
Finn Petersen,
Johnny Lim,
Mahdi Hosseinzadeh,
Martin Bonnin,
Paint_Ninja,
Petter Måhlén,
Philip Wedemann,
stegeto22,
Tanish,
TheGoesen,
Tim Nielens,
Trout Zhang,
Victor Merkulov

Upgrade instructions

Switch your build to use Gradle 8.12 by updating your wrapper:

./gradlew wrapper --gradle-version=8.12

See the Gradle 8.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading.

For Java, Groovy, Kotlin and Android compatibility, see the full compatibility notes.

Reporting problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you're not sure you're encountering a bug, please use the forum.

We hope you will build happiness with Gradle, and we look forward to your feedback via Twitter or on GitHub.


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/gradle:8.12.0

📦 Image Reference ghcr.io/uniget-org/tools/gradle:8.12.0
digestsha256:509fec16e666309f18bbb605d7b9dc2ec7adbbc0f82cf1790a3989b7573ffa84
vulnerabilitiescritical: 0 high: 1 medium: 0 low: 0
platformlinux/amd64
size137 MB
packages314
critical: 0 high: 1 medium: 0 low: 0 org.eclipse.jgit 5.13.3.202401111512-r (maven)

pkg:maven/org.eclipse.jgit/[email protected]

high 8.8: CVE--2023--4759 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=6.6.0.202305301015-r
Fixed version6.6.1.202309021850-r
CVSS Score8.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description

Arbitrary File Overwrite in Eclipse JGit <= 6.6.0

In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.

This can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.

The issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.

Setting git configuration option core.symlinks = false before checking out avoids the problem.

The issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ .

The JGit maintainers would like to thank RyotaK for finding and reporting this issue.

Copy link

Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12435082441.

@github-actions github-actions bot merged commit ddb483d into main Dec 20, 2024
10 checks passed
@github-actions github-actions bot deleted the renovate/gradle-gradle-8.x branch December 20, 2024 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants