(karaf-jclouds) branch master updated: vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291

Sat, 16 Dec 2023 01:30:09 -0800 

This is an automated email from the ASF dual-hosted git repository.

nite pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf-jclouds.git


The following commit(s) were added to refs/heads/master by this push:
     new 79d0ec3  vuln-fix: Use HTTPS instead of HTTP to resolve deps 
CVE-2021-26291
     new 4ed5c6f  Merge pull request #8 from 
BulkSecurityGeneratorProjectV2/fix/JLL/use_https_to_resolve_dependencies_maven
79d0ec3 is described below

commit 79d0ec3c25c1850a5dbd58f266e82c996e7b25fe
Author: Jonathan Leitschuh <[email protected]>
AuthorDate: Sat Dec 16 07:13:20 2023 +0000

    vuln-fix: Use HTTPS instead of HTTP to resolve deps CVE-2021-26291
    
    
    This fixes a security vulnerability in this project where the `pom.xml`
    files were configuring Maven to resolve dependencies over HTTP instead of
    HTTPS.
    
    Weakness: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
    Severity: High
    CVSS: 8.1
    Detection: CodeQL & OpenRewrite 
(https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)
    
    Reported-by: Jonathan Leitschuh <[email protected]>
    Signed-off-by: Jonathan Leitschuh <[email protected]>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8
    Detection: CodeQL 
(https://codeql.github.com/codeql-query-help/java/java-maven-non-https-url/) & 
OpenRewrite 
(https://app.moderne.io/recipes/org.openrewrite.maven.security.UseHttpsForRepositories)
    
    Reported-by: Jonathan Leitschuh <[email protected]>
    Signed-off-by: Jonathan Leitschuh <[email protected]>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/8
    
    
    Use this link to re-run the recipe: 
https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D
    
    Co-authored-by: Moderne <[email protected]>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 82e56ee..7798440 100644
--- a/pom.xml
+++ b/pom.xml
@@ -596,7 +596,7 @@ limitations under the License.
     <repository>
       <id>maven2-repository.dev.java.net</id>
       <name>Java.net Repository for Maven</name>
-      <url>http://download.java.net/maven/2/</url>
+      <url>https://download.java.net/maven/2/</url>
       <layout>default</layout>
     </repository>
   </repositories>

Reply via email to