Bug#779331: marked as done (maven downloads and runs completely unauthed jars via HTTP)
Your message dated Fri, 06 Mar 2015 21:17:11 + with message-id e1ytzcn-0001yd...@franck.debian.org and subject line Bug#779331: fixed in maven 3.0.4-3+deb7u1 has caused the Debian Bug report #779331, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven signature.asc Description: OpenPGP digital signature ---End Message--- ---BeginMessage--- Source: maven Source-Version: 3.0.4-3+deb7u1 We believe that the bug you reported is fixed in the latest version of maven, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg ebo...@apache.org (supplier of updated maven package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 17:56:07 +0100 Source: maven Binary: maven Architecture: source all Version: 3.0.4-3+deb7u1 Distribution: stable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Emmanuel Bourg ebo...@apache.org Description: maven - Java software project management and comprehension tool Closes: 779331 Changes: maven (3.0.4-3+deb7u1) stable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779331) Checksums-Sha1: 4d63a82a0f2c9aa9cbdf42bda59cc35e0986c854 2504 maven_3.0.4-3+deb7u1.dsc 95c29f95f34664a87c28e14aabdc1a0aad4fe37b 14603 maven_3.0.4-3+deb7u1.debian.tar.gz 73c8337239edfa12a5ffdb7ea37361685a3fda72 1293492 maven_3.0.4-3+deb7u1_all.deb Checksums-Sha256: 8a0dbba189c06d64b1dc083cb2b6df2d69f7618f466dd573d4483cb5bd163705 2504 maven_3.0.4-3+deb7u1.dsc 49c2b9bc24eb25baeb00da34539a6797fbb6ec7b11e9572877d5f02ace4b2471 14603 maven_3.0.4-3+deb7u1.debian.tar.gz 3c06782f6581c3598f30fc402f76b88fc6e6cbffd6dd7714d06e0cd609b38794 1293492 maven_3.0.4-3+deb7u1_all.deb Files: d27d12e5cb9756ccfd5dc8a541d5c5ec 2504 java optional maven_3.0.4-3+deb7u1.dsc 88c2d10e6577ba3981eab8f0ed0a6a25 14603 java optional maven_3.0.4-3+deb7u1.debian.tar.gz 5f855c9dd4d0ee072973054c63ecad93 1293492 java optional maven_3.0.4-3+deb7u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU9YNlAAoJEPUTxBnkudCsMrMP/Rg26ZrSFjEcl0xxoqdY8Z61 3H+NNIMQlERWraXePMwU5ago7v89T0fpj342oJw23bKESiOVuIM2mN5tspekPXls cDL9l3wU9Hzava3n8GuPLZZCb5DtkKcwowZxKD5+FljLuwmD2+wvQ5Psxx8hnKft D7ArcGtc1/2duxQL5mZLFgPRjsDGjXtdj4HrbglmaZU0OgQKv3gEoV8a8AdkQIAb L0syzD9+DfuMJXCyBZxaXARCr6hU2kkuujWyBb/7OidKUCQQZpFM3ETGRYswxahN f+6iaqcYdHm8sd7IyO7DCGhgkf8zlCbVo85oHCcA1NDJwP4TXOEfIZEVMdKyyQB1 B6ST4rCbcmADh5bEZcPHn9LKkM4o4Jt0LL1wqkgkaQGICoA1t++8kChf/AG0gMcS qA4BxsnUxbx1BdwVH5w6XewB0dh+7gKWNG1MPVX9ialWHiu1ZoCKssYxfOlCiRHs b9ooDisxIr5WJEXRh+rDx8VVgpilaOCjeSP+RtUOhweFrHyLWqZMjsD6vLg2aPhC dwCT92S5z6yKX96Xp0uXOYvO0OVxP8VKqjXgj4rbRuYoogwpfQLX8SejXlrg2s28 UIZun8qEgSQzeNZlYq+IhK/1qLuAr21jnlxwj5k/bBTw2EeZklSZiqRaMFGhNlON LH+BaFgzzyCV+ylbLQDs =6bOO -END PGP SIGNATUREEnd Message--- __ This is the maintainer address of Debian's Java team
Bug#779331: marked as done (maven downloads and runs completely unauthed jars via HTTP)
Your message dated Fri, 27 Feb 2015 17:34:03 + with message-id e1yronb-0005zz...@franck.debian.org and subject line Bug#779331: fixed in maven 3.0.5-3 has caused the Debian Bug report #779331, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven signature.asc Description: OpenPGP digital signature ---End Message--- ---BeginMessage--- Source: maven Source-Version: 3.0.5-3 We believe that the bug you reported is fixed in the latest version of maven, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg ebo...@apache.org (supplier of updated maven package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 17:56:07 +0100 Source: maven Binary: maven Architecture: source all Version: 3.0.5-3 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: Emmanuel Bourg ebo...@apache.org Description: maven - Java software project management and comprehension tool Closes: 779331 Changes: maven (3.0.5-3) unstable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779331) Checksums-Sha1: 793b877fd758ee5214e36c37f3e8c85bd98894cd 2478 maven_3.0.5-3.dsc dcbd331fc4ad0c6ae6aeac72d490e8b20d211f49 14604 maven_3.0.5-3.debian.tar.xz c109d3086d243abead988cace37d89bd49e47030 1281308 maven_3.0.5-3_all.deb Checksums-Sha256: be5948a23ba5561b129e43a2894e33620af3d93f83b482107692ef7e4da68bc6 2478 maven_3.0.5-3.dsc 6c4ee70331ad5850807ce6e740090f8115639fb4f36748fecf9ccee7cc32ae92 14604 maven_3.0.5-3.debian.tar.xz 28e890ec62f134f8635516932fa920b0eab0700aaeb8917e3be2dee79dae8fe2 1281308 maven_3.0.5-3_all.deb Files: d2de71509569659317f393ea9fdc9ffc 2478 java optional maven_3.0.5-3.dsc 90320c595030c8b08185774984cf8a3b 14604 java optional maven_3.0.5-3.debian.tar.xz cdd2e189f6bfd62e961d018f61f2f858 1281308 java optional maven_3.0.5-3_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJU8Kd9AAoJEPUTxBnkudCsLs4P/iTUZjpJZyQql4ukfry8Ka5U 0fitMbDzh17ehNYCeAoAFcjtZhAMnN0SLFivlIsxUvMDnrDgE2WEVdRM0q8kzua8 jtwrq98SDuOf908JxOUhs0YPBaynRynZbVLwVbDowC01R5Dtp/oCyoh0MW7ukoev +7VDCrqAJjhqLXwQvcxytNN4TEf/rmlGvURibsWApssOPPt9d9PRlgZnWCiCAZSI cS5cqcrzYdFtx6hlYQTPmDrwniZN+SarSctr76LH6pZp0O9iaRtq37mi8xXOXWOK BLJyKDL6cA2UM5U+xZpASbJWKYGU/brqfKkynlNSjKx1APEWOzqPLbBHdOHnJv3H rv750rMsU3hhpnOmDzftJYU2MFL6NJruU5S1A/VqCjAqGVArYQpdESimMASv+BrU 7D7RMUN6lKy25sCsjs/MF/1+P5ootjRgr8YiBP15ermRt3ZQiAxfLLFzCVDxqQ9S y6KAn1phpE2Lu0N0oeDdbosWwS5LrXYrpZ8Ao46+s8AIoe7rPk//x41jfE9T1dFa bnVCt2Gc0HeHk13tEmR6jPqkltZTG8XBSRyueIMVVcx7fsJWmYpzHwu+kp7WQbkY VfmErA9SuJH7vSNWus3B9oyKurnJQrv2A29QiBQd+GKjQ06Qj4BF5O9Kh3V9dp+G naVernbNxGivBr2QjtnQ =G/IZ -END PGP SIGNATUREEnd Message--- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for
