Control: reassign -1 src:wagon2
Control: tags -1 + patch


This security issue is actually  affecting libwagon2-java as, besides of
build improvements,  maven 3.0.5 only  bumps wagon2 version from  2.2 to
2.4  (should   maven  be   rebuilt  when  a   fixed  version   has  been
uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.

According  to [0],  it  is recommended  to upgrade  to  Maven Wagon  2.4
however this  is not  really possible  as the  new version  requires (at
least,  when  testing by  changing  the  required  version, I  got  more
dependency  errors later  on) libmaven-parent-java  >= 23  which is  not
available in the archive.  Moreover, there are many unrelated changes so
the only  solution is  probably to  backport the  patches. The  issue on
Maven Wagon BTS seems to be:

And the patches (quite small indeed):;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5

As I  don't know anything  about Maven (I'm  just hunting RC  bugs ;-)),
could you please confirm that these patches fix this issue?  I can later
NMU if it helps.

Also,  there seems  to  have  been several  other  bug fixes  (including
security-related  ones), not  sure  if they  are  really critical,  just
pointing out  what I have found  so far while checking  git history from
Maven Wagon 2.2 to 2.4:;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac

Arnaud Fontaine


Attachment: pgp0kgRrm2IdH.pgp
Description: PGP signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to