Your message dated Fri, 27 Feb 2015 17:34:03 +0000 with message-id <e1yronb-0005zz...@franck.debian.org> and subject line Bug#779331: fixed in maven 3.0.5-3 has caused the Debian Bug report #779331, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: maven Source-Version: 3.0.5-3 We believe that the bug you reported is fixed in the latest version of maven, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated maven package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 17:56:07 +0100 Source: maven Binary: maven Architecture: source all Version: 3.0.5-3 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: maven - Java software project management and comprehension tool Closes: 779331 Changes: maven (3.0.5-3) unstable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779331) Checksums-Sha1: 793b877fd758ee5214e36c37f3e8c85bd98894cd 2478 maven_3.0.5-3.dsc dcbd331fc4ad0c6ae6aeac72d490e8b20d211f49 14604 maven_3.0.5-3.debian.tar.xz c109d3086d243abead988cace37d89bd49e47030 1281308 maven_3.0.5-3_all.deb Checksums-Sha256: be5948a23ba5561b129e43a2894e33620af3d93f83b482107692ef7e4da68bc6 2478 maven_3.0.5-3.dsc 6c4ee70331ad5850807ce6e740090f8115639fb4f36748fecf9ccee7cc32ae92 14604 maven_3.0.5-3.debian.tar.xz 28e890ec62f134f8635516932fa920b0eab0700aaeb8917e3be2dee79dae8fe2 1281308 maven_3.0.5-3_all.deb Files: d2de71509569659317f393ea9fdc9ffc 2478 java optional maven_3.0.5-3.dsc 90320c595030c8b08185774984cf8a3b 14604 java optional maven_3.0.5-3.debian.tar.xz cdd2e189f6bfd62e961d018f61f2f858 1281308 java optional maven_3.0.5-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU8Kd9AAoJEPUTxBnkudCsLs4P/iTUZjpJZyQql4ukfry8Ka5U 0fitMbDzh17ehNYCeAoAFcjtZhAMnN0SLFivlIsxUvMDnrDgE2WEVdRM0q8kzua8 jtwrq98SDuOf908JxOUhs0YPBaynRynZbVLwVbDowC01R5Dtp/oCyoh0MW7ukoev +7VDCrqAJjhqLXwQvcxytNN4TEf/rmlGvURibsWApssOPPt9d9PRlgZnWCiCAZSI cS5cqcrzYdFtx6hlYQTPmDrwniZN+SarSctr76LH6pZp0O9iaRtq37mi8xXOXWOK BLJyKDL6cA2UM5U+xZpASbJWKYGU/brqfKkynlNSjKx1APEWOzqPLbBHdOHnJv3H rv750rMsU3hhpnOmDzftJYU2MFL6NJruU5S1A/VqCjAqGVArYQpdESimMASv+BrU 7D7RMUN6lKy25sCsjs/MF/1+P5ootjRgr8YiBP15ermRt3ZQiAxfLLFzCVDxqQ9S y6KAn1phpE2Lu0N0oeDdbosWwS5LrXYrpZ8Ao46+s8AIoe7rPk//x41jfE9T1dFa bnVCt2Gc0HeHk13tEmR6jPqkltZTG8XBSRyueIMVVcx7fsJWmYpzHwu+kp7WQbkY VfmErA9SuJH7vSNWus3B9oyKurnJQrv2A29QiBQd+GKjQ06Qj4BF5O9Kh3V9dp+G naVernbNxGivBr2QjtnQ =G/IZ -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
