Package: maven
Version: 3.0.4-3
Severity: grave
Tags: security

By default, maven versions before v3.2.3 downloads from Maven Central using
plain HTTP and do not check any kind of signature on the code before running
it.  This is a very bad situation, making it quite easy for malicious actors
take over the machines where maven is used:

Luckily, there is a simple step that greatly improves the situation.  HTTPS is
now fully supported on maven central, so Debian's maven should also default to
HTTPS.  A user can set this in ~/.m2/settings.xml, and it works fine with the
Debian version of maven.  But this really needs to be the default, and it
should just be a matter of adding this config information to

Attachment: signature.asc
Description: OpenPGP digital signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to