diff -Nru wagon2-2.2/debian/changelog wagon2-2.2/debian/changelog
--- wagon2-2.2/debian/changelog	2012-05-27 15:10:23.000000000 -0400
+++ wagon2-2.2/debian/changelog	2013-03-21 21:26:58.000000000 -0400
@@ -1,3 +1,11 @@
+wagon2 (2.2-3+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2013-0253: doesn't check SSL certificates by default
+    (closes: #701991).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Fri, 22 Mar 2013 01:19:26 +0000
+
 wagon2 (2.2-3) unstable; urgency=low
 
   [ Damien Raude-Morvan ]
diff -Nru wagon2-2.2/debian/patches/cve-2013-0253.patch wagon2-2.2/debian/patches/cve-2013-0253.patch
--- wagon2-2.2/debian/patches/cve-2013-0253.patch	1969-12-31 19:00:00.000000000 -0500
+++ wagon2-2.2/debian/patches/cve-2013-0253.patch	2013-03-21 21:26:13.000000000 -0400
@@ -0,0 +1,23 @@
+Description: Enable SSL certificate checks by default
+Author: Michael Gilbert <mgilbert@debian.org>
+
+--- wagon2-2.2.orig/wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java
++++ wagon2-2.2/wagon-providers/wagon-http-shared4/src/main/java/org/apache/maven/wagon/shared/http4/AbstractHttpClientWagon.java
+@@ -235,7 +235,7 @@ public abstract class AbstractHttpClient
+      *
+      * @since 2.0
+      */
+-    protected static boolean sslEasy = Boolean.valueOf( System.getProperty( "maven.wagon.http.ssl.easy", "true" ) );
++    protected static boolean sslEasy = Boolean.valueOf( System.getProperty( "maven.wagon.http.ssl.insecure", "false" ) );
+ 
+     /**
+      * ssl hostname verifier is allow all by default. Disable this will use a browser compat hostname verifier
+@@ -244,7 +244,7 @@ public abstract class AbstractHttpClient
+      * @since 2.0
+      */
+     protected static boolean sslAllowAll =
+-        Boolean.valueOf( System.getProperty( "maven.wagon.http.ssl.allowall", "true" ) );
++        Boolean.valueOf( System.getProperty( "maven.wagon.http.ssl.allowall", "false" ) );
+ 
+     /**
+      * if using sslEasy certificate date issues will be ignored
diff -Nru wagon2-2.2/debian/patches/series wagon2-2.2/debian/patches/series
--- wagon2-2.2/debian/patches/series	2012-05-27 15:10:23.000000000 -0400
+++ wagon2-2.2/debian/patches/series	2013-03-21 21:25:42.000000000 -0400
@@ -3,3 +3,4 @@
 add_explicit_log4j.diff
 no_mina_sshd.diff
 no_itcould_webdav.diff
+cve-2013-0253.patch