Processed: Re: Bug#701991: maven3: CVE-2013-0253
Processing control commands: reassign -1 src:wagon2 Bug #701991 [src:maven] maven3: CVE-2013-0253 Bug reassigned from package 'src:maven' to 'src:wagon2'. Ignoring request to alter found versions of bug #701991 to the same values previously set Ignoring request to alter fixed versions of bug #701991 to the same values previously set tags -1 + patch Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Added tag(s) patch. -- 701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#701991: maven3: CVE-2013-0253
Processing control commands: reassign -1 src:wagon2 Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Ignoring request to reassign bug #701991 to the same package tags -1 + patch Bug #701991 [src:wagon2] maven3: CVE-2013-0253 Ignoring request to alter tags of bug #701991 to the same tags previously set -- 701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701991: maven3: CVE-2013-0253
Control: reassign -1 src:wagon2 Control: tags -1 + patch Hi, The email does not appear to have reached the BTS, so I am resending it (and quoting it in full). ~Niels On 2013-03-15 04:49, Arnaud Fontaine wrote: Control: reassign -1 src:wagon2 Control: tags -1 + patch Hello, This security issue is actually affecting libwagon2-java as, besides of build improvements, maven 3.0.5 only bumps wagon2 version from 2.2 to 2.4 (should maven be rebuilt when a fixed version has been uploaded?). Therefore, I'm reassigning this issue to wagon2 instead. According to [0], it is recommended to upgrade to Maven Wagon 2.4 however this is not really possible as the new version requires (at least, when testing by changing the required version, I got more dependency errors later on) libmaven-parent-java = 23 which is not available in the archive. Moreover, there are many unrelated changes so the only solution is probably to backport the patches. The issue on Maven Wagon BTS seems to be: https://jira.codehaus.org/browse/WAGON-385 And the patches (quite small indeed): https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5 As I don't know anything about Maven (I'm just hunting RC bugs ;-)), could you please confirm that these patches fix this issue? I can later NMU if it helps. Also, there seems to have been several other bug fixes (including security-related ones), not sure if they are really critical, just pointing out what I have found so far while checking git history from Maven Wagon 2.2 to 2.4: https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2 https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac Cheers, __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701991: maven3: CVE-2013-0253
Package: maven3 Severity: grave Tags: security Justification: user security hole Please see http://maven.apache.org/security.html for details. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#701991: maven3: CVE-2013-0253
Control: reassign -1 src:maven Moritz Muehlenhoff j...@inutil.org writes: Package: maven3 There is no maven3 package, so I'm reassigning to maven, which does have a version = 3, so I assume it is the package you meant to file the bug against. Severity: grave Tags: security Justification: user security hole Please see http://maven.apache.org/security.html for details. Cheers, Moritz -- |8] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#701991: maven3: CVE-2013-0253
Processing control commands: reassign -1 src:maven Bug #701991 [maven3] maven3: CVE-2013-0253 Warning: Unknown package 'maven3' Bug reassigned from package 'maven3' to 'src:maven'. Ignoring request to alter found versions of bug #701991 to the same values previously set Ignoring request to alter fixed versions of bug #701991 to the same values previously set -- 701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org