Package: maven
Version: 3.0.4-3
Severity: grave
Tags: security

By default, maven versions before v3.2.3 downloads from Maven Central using
plain HTTP and do not check any kind of signature on the code before running
it.  This is a very bad situation, making it quite easy for malicious actors
take over the machines where maven is used:

http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Luckily, there is a simple step that greatly improves the situation.  HTTPS is
now fully supported on maven central, so Debian's maven should also default to
HTTPS.  A user can set this in ~/.m2/settings.xml, and it works fine with the
Debian version of maven.  But this really needs to be the default, and it
should just be a matter of adding this config information to
/etc/maven/settings.xml

http://central.sonatype.org/pages/consumers.html#apache-maven


Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to