Your message dated Fri, 06 Mar 2015 21:17:11 +0000 with message-id <e1ytzcn-0001yd...@franck.debian.org> and subject line Bug#779331: fixed in maven 3.0.4-3+deb7u1 has caused the Debian Bug report #779331, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779331 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take over the machines where maven is used: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ Luckily, there is a simple step that greatly improves the situation. HTTPS is now fully supported on maven central, so Debian's maven should also default to HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the Debian version of maven. But this really needs to be the default, and it should just be a matter of adding this config information to /etc/maven/settings.xml http://central.sonatype.org/pages/consumers.html#apache-maven
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: maven Source-Version: 3.0.4-3+deb7u1 We believe that the bug you reported is fixed in the latest version of maven, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated maven package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 17:56:07 +0100 Source: maven Binary: maven Architecture: source all Version: 3.0.4-3+deb7u1 Distribution: stable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: maven - Java software project management and comprehension tool Closes: 779331 Changes: maven (3.0.4-3+deb7u1) stable; urgency=high . * Team upload. * Use a secure connection by default to download artifacts from the Maven Central repository (Closes: #779331) Checksums-Sha1: 4d63a82a0f2c9aa9cbdf42bda59cc35e0986c854 2504 maven_3.0.4-3+deb7u1.dsc 95c29f95f34664a87c28e14aabdc1a0aad4fe37b 14603 maven_3.0.4-3+deb7u1.debian.tar.gz 73c8337239edfa12a5ffdb7ea37361685a3fda72 1293492 maven_3.0.4-3+deb7u1_all.deb Checksums-Sha256: 8a0dbba189c06d64b1dc083cb2b6df2d69f7618f466dd573d4483cb5bd163705 2504 maven_3.0.4-3+deb7u1.dsc 49c2b9bc24eb25baeb00da34539a6797fbb6ec7b11e9572877d5f02ace4b2471 14603 maven_3.0.4-3+deb7u1.debian.tar.gz 3c06782f6581c3598f30fc402f76b88fc6e6cbffd6dd7714d06e0cd609b38794 1293492 maven_3.0.4-3+deb7u1_all.deb Files: d27d12e5cb9756ccfd5dc8a541d5c5ec 2504 java optional maven_3.0.4-3+deb7u1.dsc 88c2d10e6577ba3981eab8f0ed0a6a25 14603 java optional maven_3.0.4-3+deb7u1.debian.tar.gz 5f855c9dd4d0ee072973054c63ecad93 1293492 java optional maven_3.0.4-3+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU9YNlAAoJEPUTxBnkudCsMrMP/Rg26ZrSFjEcl0xxoqdY8Z61 3H+NNIMQlERWraXePMwU5ago7v89T0fpj342oJw23bKESiOVuIM2mN5tspekPXls cDL9l3wU9Hzava3n8GuPLZZCb5DtkKcwowZxKD5+FljLuwmD2+wvQ5Psxx8hnKft D7ArcGtc1/2duxQL5mZLFgPRjsDGjXtdj4HrbglmaZU0OgQKv3gEoV8a8AdkQIAb L0syzD9+DfuMJXCyBZxaXARCr6hU2kkuujWyBb/7OidKUCQQZpFM3ETGRYswxahN f+6iaqcYdHm8sd7IyO7DCGhgkf8zlCbVo85oHCcA1NDJwP4TXOEfIZEVMdKyyQB1 B6ST4rCbcmADh5bEZcPHn9LKkM4o4Jt0LL1wqkgkaQGICoA1t++8kChf/AG0gMcS qA4BxsnUxbx1BdwVH5w6XewB0dh+7gKWNG1MPVX9ialWHiu1ZoCKssYxfOlCiRHs b9ooDisxIr5WJEXRh+rDx8VVgpilaOCjeSP+RtUOhweFrHyLWqZMjsD6vLg2aPhC dwCT92S5z6yKX96Xp0uXOYvO0OVxP8VKqjXgj4rbRuYoogwpfQLX8SejXlrg2s28 UIZun8qEgSQzeNZlYq+IhK/1qLuAr21jnlxwj5k/bBTw2EeZklSZiqRaMFGhNlON LH+BaFgzzyCV+ylbLQDs =6bOO -----END PGP SIGNATURE-----
--- End Message ---
