Your message dated Fri, 06 Mar 2015 21:17:11 +0000
with message-id <e1ytzcn-0001yd...@franck.debian.org>
and subject line Bug#779331: fixed in maven 3.0.4-3+deb7u1
has caused the Debian Bug report #779331,
regarding maven downloads and runs completely unauthed jars via HTTP
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
779331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779331
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: maven
Version: 3.0.4-3
Severity: grave
Tags: security

By default, maven versions before v3.2.3 downloads from Maven Central using
plain HTTP and do not check any kind of signature on the code before running
it.  This is a very bad situation, making it quite easy for malicious actors
take over the machines where maven is used:

http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Luckily, there is a simple step that greatly improves the situation.  HTTPS is
now fully supported on maven central, so Debian's maven should also default to
HTTPS.  A user can set this in ~/.m2/settings.xml, and it works fine with the
Debian version of maven.  But this really needs to be the default, and it
should just be a matter of adding this config information to
/etc/maven/settings.xml

http://central.sonatype.org/pages/consumers.html#apache-maven


Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message ---
Source: maven
Source-Version: 3.0.4-3+deb7u1

We believe that the bug you reported is fixed in the latest version of
maven, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 779...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebo...@apache.org> (supplier of updated maven package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Feb 2015 17:56:07 +0100
Source: maven
Binary: maven
Architecture: source all
Version: 3.0.4-3+deb7u1
Distribution: stable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebo...@apache.org>
Description: 
 maven      - Java software project management and comprehension tool
Closes: 779331
Changes: 
 maven (3.0.4-3+deb7u1) stable; urgency=high
 .
   * Team upload.
   * Use a secure connection by default to download artifacts
     from the Maven Central repository (Closes: #779331)
Checksums-Sha1: 
 4d63a82a0f2c9aa9cbdf42bda59cc35e0986c854 2504 maven_3.0.4-3+deb7u1.dsc
 95c29f95f34664a87c28e14aabdc1a0aad4fe37b 14603 
maven_3.0.4-3+deb7u1.debian.tar.gz
 73c8337239edfa12a5ffdb7ea37361685a3fda72 1293492 maven_3.0.4-3+deb7u1_all.deb
Checksums-Sha256: 
 8a0dbba189c06d64b1dc083cb2b6df2d69f7618f466dd573d4483cb5bd163705 2504 
maven_3.0.4-3+deb7u1.dsc
 49c2b9bc24eb25baeb00da34539a6797fbb6ec7b11e9572877d5f02ace4b2471 14603 
maven_3.0.4-3+deb7u1.debian.tar.gz
 3c06782f6581c3598f30fc402f76b88fc6e6cbffd6dd7714d06e0cd609b38794 1293492 
maven_3.0.4-3+deb7u1_all.deb
Files: 
 d27d12e5cb9756ccfd5dc8a541d5c5ec 2504 java optional maven_3.0.4-3+deb7u1.dsc
 88c2d10e6577ba3981eab8f0ed0a6a25 14603 java optional 
maven_3.0.4-3+deb7u1.debian.tar.gz
 5f855c9dd4d0ee072973054c63ecad93 1293492 java optional 
maven_3.0.4-3+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJU9YNlAAoJEPUTxBnkudCsMrMP/Rg26ZrSFjEcl0xxoqdY8Z61
3H+NNIMQlERWraXePMwU5ago7v89T0fpj342oJw23bKESiOVuIM2mN5tspekPXls
cDL9l3wU9Hzava3n8GuPLZZCb5DtkKcwowZxKD5+FljLuwmD2+wvQ5Psxx8hnKft
D7ArcGtc1/2duxQL5mZLFgPRjsDGjXtdj4HrbglmaZU0OgQKv3gEoV8a8AdkQIAb
L0syzD9+DfuMJXCyBZxaXARCr6hU2kkuujWyBb/7OidKUCQQZpFM3ETGRYswxahN
f+6iaqcYdHm8sd7IyO7DCGhgkf8zlCbVo85oHCcA1NDJwP4TXOEfIZEVMdKyyQB1
B6ST4rCbcmADh5bEZcPHn9LKkM4o4Jt0LL1wqkgkaQGICoA1t++8kChf/AG0gMcS
qA4BxsnUxbx1BdwVH5w6XewB0dh+7gKWNG1MPVX9ialWHiu1ZoCKssYxfOlCiRHs
b9ooDisxIr5WJEXRh+rDx8VVgpilaOCjeSP+RtUOhweFrHyLWqZMjsD6vLg2aPhC
dwCT92S5z6yKX96Xp0uXOYvO0OVxP8VKqjXgj4rbRuYoogwpfQLX8SejXlrg2s28
UIZun8qEgSQzeNZlYq+IhK/1qLuAr21jnlxwj5k/bBTw2EeZklSZiqRaMFGhNlON
LH+BaFgzzyCV+ylbLQDs
=6bOO
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to