Debian Bug report logs -
#701991
maven3: CVE-2013-0253
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 1 Mar 2013 11:15:05 UTC
Severity: grave
Tags: patch, security
Fixed in version wagon2/2.2-3+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org
:
Bug#701991
; Package maven3
.
(Fri, 01 Mar 2013 11:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org
.
(Fri, 01 Mar 2013 11:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: maven3
Severity: grave
Tags: security
Justification: user security hole
Please see http://maven.apache.org/security.html for details.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org
:
Bug#701991
; Package maven3
.
(Fri, 01 Mar 2013 13:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Gergely Nagy <algernon@balabit.hu>
:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org
.
(Fri, 01 Mar 2013 13:03:08 GMT) (full text, mbox, link).
Message #10 received at 701991@bugs.debian.org (full text, mbox, reply):
Control: reassign -1 src:maven
Moritz Muehlenhoff <jmm@inutil.org> writes:
> Package: maven3
There is no maven3 package, so I'm reassigning to maven, which does have
a version >= 3, so I assume it is the package you meant to file the bug
against.
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see http://maven.apache.org/security.html for details.
>
> Cheers,
> Moritz
--
|8]
Bug reassigned from package 'maven3' to 'src:maven'.
Request was from Gergely Nagy <algernon@balabit.hu>
to 701991-submit@bugs.debian.org
.
(Fri, 01 Mar 2013 13:03:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#701991
; Package src:maven
.
(Sat, 16 Mar 2013 12:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Niels Thykier <niels@thykier.net>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sat, 16 Mar 2013 12:42:09 GMT) (full text, mbox, link).
Message #17 received at 701991@bugs.debian.org (full text, mbox, reply):
Control: reassign -1 src:wagon2
Control: tags -1 + patch
Hi,
The email does not appear to have reached the BTS, so I am resending it
(and quoting it in full).
~Niels
On 2013-03-15 04:49, Arnaud Fontaine wrote:
> Control: reassign -1 src:wagon2
> Control: tags -1 + patch
>
> Hello,
>
> This security issue is actually affecting libwagon2-java as, besides of
> build improvements, maven 3.0.5 only bumps wagon2 version from 2.2 to
> 2.4 (should maven be rebuilt when a fixed version has been
> uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.
>
> According to [0], it is recommended to upgrade to Maven Wagon 2.4
> however this is not really possible as the new version requires (at
> least, when testing by changing the required version, I got more
> dependency errors later on) libmaven-parent-java >= 23 which is not
> available in the archive. Moreover, there are many unrelated changes so
> the only solution is probably to backport the patches. The issue on
> Maven Wagon BTS seems to be:
>
> https://jira.codehaus.org/browse/WAGON-385
>
> And the patches (quite small indeed):
>
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5
>
> As I don't know anything about Maven (I'm just hunting RC bugs ;-)),
> could you please confirm that these patches fix this issue? I can later
> NMU if it helps.
>
> Also, there seems to have been several other bug fixes (including
> security-related ones), not sure if they are really critical, just
> pointing out what I have found so far while checking git history from
> Maven Wagon 2.2 to 2.4:
>
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac
>
> Cheers,
>
>
>
> __
> This is the maintainer address of Debian's Java team
> <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use
> debian-java@lists.debian.org for discussions and questions.
Bug reassigned from package 'src:maven' to 'src:wagon2'.
Request was from Niels Thykier <niels@thykier.net>
to 701991-submit@bugs.debian.org
.
(Sat, 16 Mar 2013 12:42:09 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Niels Thykier <niels@thykier.net>
to 701991-submit@bugs.debian.org
.
(Sat, 16 Mar 2013 12:42:09 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#701991.
(Sat, 16 Mar 2013 12:42:13 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#701991
; Package src:wagon2
.
(Fri, 22 Mar 2013 01:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 22 Mar 2013 01:36:04 GMT) (full text, mbox, link).
Message #29 received at 701991@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I've uploaded an nmu fixing this issue. Please see attached patch.
Best wishes,
Mike
[wagon2.patch (application/octet-stream, attachment)]
Reply sent
to Michael Gilbert <mgilbert@debian.org>
:
You have taken responsibility.
(Fri, 22 Mar 2013 01:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 22 Mar 2013 01:51:09 GMT) (full text, mbox, link).
Message #34 received at 701991-close@bugs.debian.org (full text, mbox, reply):
Source: wagon2
Source-Version: 2.2-3+nmu1
We believe that the bug you reported is fixed in the latest version of
wagon2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 701991@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated wagon2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 22 Mar 2013 01:19:26 +0000
Source: wagon2
Binary: libwagon2-java
Architecture: source all
Version: 2.2-3+nmu1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
libwagon2-java - resources' transport abstraction that is used in Maven
Closes: 701991
Changes:
wagon2 (2.2-3+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-0253: doesn't check SSL certificates by default
(closes: #701991).
Checksums-Sha1:
b3e9a285c3e6fd2adce9f9634d0553c13fd45b0e 3507 wagon2_2.2-3+nmu1.dsc
4e0af51d1f5a4c4bc6d116cb74339b219485b2ea 6667 wagon2_2.2-3+nmu1.debian.tar.gz
d3b554d802f942dfd1f934a0bb24e3e1564c0db3 1058080 libwagon2-java_2.2-3+nmu1_all.deb
Checksums-Sha256:
3a2ca2654f34910fc5624fd78201434e7caf05bd4a698975df8e612929577722 3507 wagon2_2.2-3+nmu1.dsc
318f8774a980436231eecae4de90e28357cc0ba204318b06ffba1745b0948c29 6667 wagon2_2.2-3+nmu1.debian.tar.gz
9956f5725279e59943518bfd911f361ba68e4e138d059009cd5d3049c8b5bb55 1058080 libwagon2-java_2.2-3+nmu1_all.deb
Files:
05062662372452703564bc9d0bd86570 3507 java optional wagon2_2.2-3+nmu1.dsc
925b6fa39b947dc86255410c63413318 6667 java optional wagon2_2.2-3+nmu1.debian.tar.gz
b7b74ee7dad1a9e3a54b74c47c3b6ea4 1058080 java optional libwagon2-java_2.2-3+nmu1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQQcBAEBCAAGBQJRS7PXAAoJELjWss0C1vRzm/wf/11jA/q/Mlg/Z/KxkQ9cWFsq
sn6Pm/NmYEwHSkdCH9jT1/4B8XG7ewYB+Xh6YsAiI0rhUIe+kY0LeUVzu7ig7Wai
pg07Fri9OnaZLfjOdU8tCFP+xf7aIxj7sP9D7yZpUnsOJJZD1q/WpuMaPwIA0F+H
wThpvMCWeTtUpZZOTdLUSd3OLsXzlE/xOKMiBJWrJaggV8iqSkh4rVyeIc1hx1RK
c6YNcfIVGzPu4bt19LtQRNebzPROGLEQyf11SBzWebIiONDQR44c9ayav8/oBbdk
Pf/LzbqUmg5IU3UlwpSO2mmkp9Rv574la/F6EPjrXdLks+VqZrrnr4tACkLK4tw3
YhmqdNakDl4WfxGS9Xxgu6JZuwcQqIrqJ+35+c0brEWnCipMmT7mOwMpD0kPb/F9
yS4x2qqsNX/7cdrk8DjMJvK+jn7PWQdNB35P5YKjrGtSUyuiXsyUzGuyjVKYW9qy
rj0kCT6W0clYKlVF5vI+Rkh40QG/x1Y3z5jUkWjRc22eECTDPivSyf3oq2WbBxIO
zxOPoKb3KrTYBbsfNKe++DAHEcrbDZHr2W+o5MnKwRm8MYaVB0GTpBBP1jm7vQhS
9uS93JSrS4HVExtpnGLijzpOpu4MRup/+UuyJZtuKT9Iom2/AzUro89Z09QQA+DN
G8Euw1zHGaFKOoCLEu+7f5nFuFKVOtGrKVkqyuvH7ILrdYZP3GPD4W0tXj+hz+mk
2iCey2j2bNJln+hapGVOLDOd5mxRPWmuOJp/XdFGaN7nJUIQhXN6nlYXxXQf6Y4v
Ntr3lgASzhMkc4VcdjfAekpaTUfcMr9LSHcOmgfFf0fwtWbeECB6x/4SMmI/jUat
+DxTwO9yK4+u3rVWJ27TUj+OlgbeVQ3srS4Ww6yUpU0fAo19pUfkqJDTYoNmEnuJ
+JhMiIEEHiCNpRao+7Xjz7uBNN+6gTD6yG6HfzP9B8gRlj2714Y0BVElLMYS0qMQ
d93OYLlGBZYpX5RoDK965igqy2FcR7qKPrp+Z0a+6v4m0Ef35e1kieFKmoLb9QDn
ICV3/TwqGn4bVELiosTN7eoK0HIXajBlJx/TenRCzoYFZ+3S9nDQKdyHgTRRT2T7
P+KdeBhweG+dMByU67CPt3ClglgLo8Ww0Sq0CSjKZNgTa5Azcx0VX43oL45GiGDY
7dykhWVItwHtHv/K0b55zPx0q5uJohrH3Vswqb2wQGS6gNztetP8BciOteyA4WJ2
q6LXKqZaD30vgAQT9A14OdO8v357JSxXOEB+7dJhBcREv1fKzZeyaoISVyKKeeJg
bZY+mtIoUhMjThjbNUusgC9wzfYsz9KbryENUwEF/LGDcMJEUVSMLFUCtXjaBu8=
=h5lG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 21 Apr 2013 07:32:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:37:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.