Re: Bug#701991: maven3: CVE-2013-0253

[Gergely Nagy]

Control: reassign -1 src:maven

Moritz Muehlenhoff  writes:

> Package: maven3

There is no maven3 package, so I'm reassigning to maven, which does have
a version >= 3, so I assume it is the package you meant to file the bug
against.

> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see http://maven.apache.org/security.html for details.
>
> Cheers,
> Moritz

-- 
|8]


__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#701991: maven3: CVE-2013-0253

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 src:wagon2
Bug #701991 [src:wagon2] maven3: CVE-2013-0253
Ignoring request to reassign bug #701991 to the same package
> tags -1 + patch
Bug #701991 [src:wagon2] maven3: CVE-2013-0253
Ignoring request to alter tags of bug #701991 to the same tags previously set

-- 
701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#701991: maven3: CVE-2013-0253

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 src:wagon2
Bug #701991 [src:maven] maven3: CVE-2013-0253
Bug reassigned from package 'src:maven' to 'src:wagon2'.
Ignoring request to alter found versions of bug #701991 to the same values 
previously set
Ignoring request to alter fixed versions of bug #701991 to the same values 
previously set
> tags -1 + patch
Bug #701991 [src:wagon2] maven3: CVE-2013-0253
Added tag(s) patch.

-- 
701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Bug#701991: maven3: CVE-2013-0253

[Arnaud Fontaine]

Control: reassign -1 src:wagon2
Control: tags -1 + patch

Hello,

This security issue is actually  affecting libwagon2-java as, besides of
build improvements,  maven 3.0.5 only  bumps wagon2 version from  2.2 to
2.4  (should   maven  be   rebuilt  when  a   fixed  version   has  been
uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.

According  to [0],  it  is recommended  to upgrade  to  Maven Wagon  2.4
however this  is not  really possible  as the  new version  requires (at
least,  when  testing by  changing  the  required  version, I  got  more
dependency  errors later  on) libmaven-parent-java  >= 23  which is  not
available in the archive.  Moreover, there are many unrelated changes so
the only  solution is  probably to  backport the  patches. The  issue on
Maven Wagon BTS seems to be:

https://jira.codehaus.org/browse/WAGON-385

And the patches (quite small indeed):

https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5

As I  don't know anything  about Maven (I'm  just hunting RC  bugs ;-)),
could you please confirm that these patches fix this issue?  I can later
NMU if it helps.

Also,  there seems  to  have  been several  other  bug fixes  (including
security-related  ones), not  sure  if they  are  really critical,  just
pointing out  what I have found  so far while checking  git history from
Maven Wagon 2.2 to 2.4:

https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac

Cheers,
-- 
Arnaud Fontaine

[0] http://maven.apache.org/security.html


pgp0kgRrm2IdH.pgp
Description: PGP signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#701991: maven3: CVE-2013-0253

[Debian Bug Tracking System]

Processing control commands:

> reassign -1 src:maven
Bug #701991 [maven3] maven3: CVE-2013-0253
Warning: Unknown package 'maven3'
Bug reassigned from package 'maven3' to 'src:maven'.
Ignoring request to alter found versions of bug #701991 to the same values 
previously set
Ignoring request to alter fixed versions of bug #701991 to the same values 
previously set

-- 
701991: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701991
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.