Your message dated Fri, 27 Feb 2015 15:20:04 +0000 with message-id <e1yrmhw-00061t...@franck.debian.org> and subject line Bug#779337: fixed in maven2 2.2.1-22 has caused the Debian Bug report #779337, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779337: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779337 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: maven2 Source-Version: 2.2.1-22 We believe that the bug you reported is fixed in the latest version of maven2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated maven2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 12:23:20 +0100 Source: maven2 Binary: maven2 Architecture: source all Version: 2.2.1-22 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: maven2 - Java software project management and comprehension tool Closes: 779337 Changes: maven2 (2.2.1-22) unstable; urgency=high . * Rebuild with libmaven2-core-java 2.2.1-17: Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779337) * Moved the package to Git Checksums-Sha1: 9c7945fea1bd52f2d78b337161275bf43b387620 2314 maven2_2.2.1-22.dsc 6a9a38b38e6f24d1b251d8cf0333fe9aaa12fe01 18760 maven2_2.2.1-22.debian.tar.xz c2f65ca1eb7c0d86a07a9be9a5296f652c85edd1 2004446 maven2_2.2.1-22_all.deb Checksums-Sha256: fbe002dea141837a6159d0c8a0beb858d38340b355a349ed6ae9718db890564f 2314 maven2_2.2.1-22.dsc 103370ac345f2bf2e9549dc0731d84529484ce42ffd93711d33125c1d3802a94 18760 maven2_2.2.1-22.debian.tar.xz 4aab9832b0ff385e3cb6fdea59d67947e0c63a996d3d89a2c83b6bd1b7a7d924 2004446 maven2_2.2.1-22_all.deb Files: 4fc025dcc72cf38052d3cb61bfc9bc56 2314 java optional maven2_2.2.1-22.dsc 2470229a5b2513f56c1be17f9da24c12 18760 java optional maven2_2.2.1-22.debian.tar.xz 216caadf8d907128a414476a6c07e704 2004446 java optional maven2_2.2.1-22_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU8HgCAAoJEPUTxBnkudCsJUgP/jitiDmgiiPz1VokLZSPuzkV wtJhOAOuMxGa3sUBBL6YpyZeOGlouAHsOB2lvju1PAzyCOdYNQlFWG0K2dc5bYvT /tQDS5AcvdjZmMvzh18n5rxTiNVzqApHAbm0hPk1jfSF53OD433C+WBU5i8beh98 YBBMF9W7VtLECVvsBqF9ln6zt7yGCZnCeGam7onnoxWHX/ovtaUM1Yi9jh81uCg4 MFCdTE7hqao+v4wlFw88+bR6jIDNM1NdaqyYUuw5C4tQVJkFaQHqzRjAwlgIInDN jDZQtzazARRm0O89tiSKGwLZtDJ6JUYLfEhYp0GU9lVU7RjNaAjC/gvh3Vh5PPVR +SwHN7WdCB8IwaksoTh083XnvidnvrJ9Rym3P37+oZ9Q3WKDLiPK56ixWVn6SCtE loD8omuOoLiDhrRgbO/yaA+99BfywFLN4Wn/Rxpu2EVRJmh9BZnwhmAs8wpC0alG 2ouy3AlxHhtK2k9kyi3PFS/+ihFIa4iqPr/Vq1L+uowEJ7z/18TzytvVPX68Lu14 abu70pulPdK6YkaczAK7EcenrFva0zRvovz6czR/PotX79fj1UYRHiP+bZWuPbZL TZmk+915FQvUjq93iO0uClxgZHpy/nH0naZfIygJSnYGj3R5ZyNhBEkbSmMvoE8y WcA7Yl9AqlB6BMMK7/Gs =/TP5 -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
