*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
CVE Numbers CVE‑2021‑26291 <https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2021-26291> , CVE‑2020‑13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956> Description Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions. 1 An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the- Middle) attack. The vulnerabilities are reported in versions prior to 3.8.1. Affected Software The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected. Solution Update to version 3.8.1. References 1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html> Please provide a solution as soon as possible. ** Affects: maven (Ubuntu) Importance: Undecided Status: New -- Apache Maven Multiple Security Bypass Vulnerabilities https://bugs.launchpad.net/bugs/1922654 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs