Your message dated Fri, 27 Feb 2015 13:33:53 +0000 with message-id <e1yrl3b-0001ew...@franck.debian.org> and subject line Bug#779338: fixed in maven2-core 2.2.1-17 has caused the Debian Bug report #779338, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779338: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779338 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: maven2-core Source-Version: 2.2.1-17 We believe that the bug you reported is fixed in the latest version of maven2-core, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated maven2-core package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 11:46:36 +0100 Source: maven2-core Binary: libmaven2-core-java libmaven2-core-java-doc Architecture: source all Version: 2.2.1-17 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libmaven2-core-java - Core libraries for Maven2 libmaven2-core-java-doc - API documentation for Maven2 Closes: 779338 Changes: maven2-core (2.2.1-17) unstable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779338) * Moved the package to Git Checksums-Sha1: 30f87b84772af4b5336f08a580e4df34ec62074a 2616 maven2-core_2.2.1-17.dsc f9c17149ab14b21b13e17e0983433fdbea6a4ecb 7480 maven2-core_2.2.1-17.debian.tar.xz 9f0afbb5d297baf3390c089681c1c413a129db3d 696558 libmaven2-core-java_2.2.1-17_all.deb 7a8a340fecfd2491facd442d29ae70ec4f758580 235308 libmaven2-core-java-doc_2.2.1-17_all.deb Checksums-Sha256: 9eab3aeb4ac16c69e0fae357a71cef9d87188ba859f2869e3a9e36657e07d5d6 2616 maven2-core_2.2.1-17.dsc ea1fbb72f3cc8959dea8f80d7d06d4469335e8c42dffb4634ea4e03b28b954e7 7480 maven2-core_2.2.1-17.debian.tar.xz 31aa84f535c31dbc72ec84110e023eee05383d93e01fca98a8cfe55b023f6b5b 696558 libmaven2-core-java_2.2.1-17_all.deb 6284c2225ccb56886d6bb43995d452b0fcba81f5762054c303639bf4fd33154e 235308 libmaven2-core-java-doc_2.2.1-17_all.deb Files: 491cea9d459e57e51271a71f1413471b 2616 java optional maven2-core_2.2.1-17.dsc 7eb45f164c68f662b0b4e3437e137884 7480 java optional maven2-core_2.2.1-17.debian.tar.xz fa3722e13869ec59d05d4433923acd2f 696558 java optional libmaven2-core-java_2.2.1-17_all.deb 378dff787f4f444d9e3ea93df1dca856 235308 doc optional libmaven2-core-java-doc_2.2.1-17_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU8G98AAoJEPUTxBnkudCsPqAP/iFCB3wkE955O3V2gHGbrhX8 YNhQH/UocwZWDkzwpFhZPKx9err/VH3CaerK0q+xYSrgzLhdiMyOzELCN08Rm18o 2vh7ZaedsdK6nkxRix8ZaFoxnDszb+1ILSruqz8NdLn2kXzPLUgWxWQJ/eK8+ORD dhB3Oi4bNBjk4uwK22U4+tGvcjwAwxWgS//LHghGyB0w5KDzED2yKQ7F1bIA3A5T 8kASynAM5yZBAKiQ6Bn09Od7eJcpjAsZa+HxuH0awXXNZH/hMDopcdIhm8ScA0iU 8gTrXbQu0+Mx9z67zcur3/OHkJJqPr/yCloEkWMeywVk+ONuR8EWXvT/bCNMq932 3q4CJF9sMpMHEQ00Q1iqv68Qc0HIwhxkk00gr3E2W8PP8WSflXHQiESqWTcg6PW8 Xmt3GVXnsOrMK5zbJiE5HvBSpkw/rSEQurNeEHBNCioDdIhyaxf7lhwA1sTJUBV2 sQjbJIDoIH+fl4IhNYO6lEcjH8zGwkiD5XMmb32HwPRhhDqtgkvyxLVUoB/7DqeI tVWS/CzSqT/duOVibBWaQAoPSwefyKSNaUG1mt0j8HbfPFdqvKFO2/8lsT1olFGB 3itOGxw5E94I83+fytYCp4yIpJ+NNfyR/G6WPJEp9rcKZZzbWLB5bjmZ8Muqr8Gk WvzHIherDWemNYFTSUBp =MICf -----END PGP SIGNATURE-----
--- End Message ---
