Author: olamy
Date: Sat Feb 23 14:59:24 2013
New Revision: 1449335
URL: http://svn.apache.org/r1449335
Log:
add security page
Added:
maven/site/trunk/content/apt/security.apt (with props)
Added: maven/site/trunk/content/apt/security.apt
URL:
http://svn.apache.org/viewvc/maven/site/trunk/content/apt/security.apt?rev=1449335&view=auto
==============================================================================
--- maven/site/trunk/content/apt/security.apt (added)
+++ maven/site/trunk/content/apt/security.apt Sat Feb 23 14:59:24 2013
@@ -0,0 +1,59 @@
+ ------
+ Security Vulnerabilities
+ ------
+
+~~ Licensed to the Apache Software Foundation (ASF) under one
+~~ or more contributor license agreements. See the NOTICE file
+~~ distributed with this work for additional information
+~~ regarding copyright ownership. The ASF licenses this file
+~~ to you under the Apache License, Version 2.0 (the
+~~ "License"); you may not use this file except in compliance
+~~ with the License. You may obtain a copy of the License at
+~~
+~~ http://www.apache.org/licenses/LICENSE-2.0
+~~
+~~ Unless required by applicable law or agreed to in writing,
+~~ software distributed under the License is distributed on an
+~~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~~ KIND, either express or implied. See the License for the
+~~ specific language governing permissions and limitations
+~~ under the License.
+
+~~ NOTE: For help with the syntax of this file, see:
+~~ http://maven.apache.org/guides/mini/guide-apt-format.html
+
+
+Security Vulnerabilities
+
+ Please note that binary patches are not produced for individual
vulnerabilities. To obtain the binary fix for a particular
+ vulnerability you should upgrade to an Apache Maven version where that
vulnerability has been fixed.
+
+ For more information about reporting vulnerabilities, see the
+ {{{http://www.apache.org/security/} Apache Security Team}} page.
+
+* CVE-2013-0253 Apache Maven
+
+ Severity: Medium
+
+ Vendor: The Apache Software Foundation
+
+ Versions Affected:
+
+ * Apache Maven 3.0.4
+
+ * Apache Maven Wagon 2.1, 2.2, 2.3
+
+ []
+
+ Description:
+ Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
+ SSL mode by default. This mode disables all SSL certificate checking,
+ including: host name verification , date validity, and certificate
+ chain. Not validating the certificate introduces the possibility of a
+ man-in-the-middle attack.
+
+ All users are recommended to upgrade to {{{./download.cgi} Apache Maven
3.0.5}} and Apache
+ Maven Wagon 2.4.
+
+ Credit
+ This issue was identified by Graham Leggett
\ No newline at end of file
Propchange: maven/site/trunk/content/apt/security.apt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: maven/site/trunk/content/apt/security.apt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision
