CVE-2021-26291: Apache Maven may follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior to no longer follow http (non-SSL) repository references by default in version 3.8.1 Maintainers, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c6d4a5c0ca051049538209265371773be09ece commit 20c6d4a5c0ca051049538209265371773be09ece Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-25 07:55:43 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-25 07:55:43 +0000 dev-java/maven-bin: bump to 3.8.1 Bug: https://bugs.gentoo.org/785478 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/maven-bin/Manifest | 1 + dev-java/maven-bin/maven-bin-3.8.1.ebuild | 67 +++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+)
should i drop all the older versions? upstream still did not eol them: http://maven.apache.org/docs/history.html
(In reply to Miroslav Šulc from comment #2) > should i drop all the older versions? upstream still did not eol them: > http://maven.apache.org/docs/history.html If possible, please do! Though if upstream is keeping versions with known security issues I wonder if they should be nagged about it or if there are backported patches that I've not noticed. We'll also need to stable the new version before cleanup can happen, it seems?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058757e589985848f0ad10fed9253b6fdbace5d1 commit 058757e589985848f0ad10fed9253b6fdbace5d1 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-26 05:05:46 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-26 05:05:46 +0000 dev-java/maven-bin: removed most obsolete and vulnerable versions Bug: https://bugs.gentoo.org/785478 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/maven-bin/Manifest | 3 -- dev-java/maven-bin/maven-bin-3.1.1-r1.ebuild | 59 ---------------------------- dev-java/maven-bin/maven-bin-3.2.5-r1.ebuild | 58 --------------------------- dev-java/maven-bin/maven-bin-3.3.9-r1.ebuild | 59 ---------------------------- 4 files changed, 179 deletions(-)
i removed most of the versions except the last stable. we can now proceed with stabilization of the unaffected version, once stabilized i'll remove the last affected.
amd64 done
x86 done all arches done
Thanks! Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05c2cdefba5604efaf3602af4272cc970218b042 commit 05c2cdefba5604efaf3602af4272cc970218b042 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-27 05:33:36 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-27 05:33:36 +0000 dev-java/maven-bin: removed obsolete and vulnerable 3.6.3 Bug: https://bugs.gentoo.org/785478 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/maven-bin/Manifest | 1 - dev-java/maven-bin/maven-bin-3.6.3.ebuild | 67 ------------------------------- 2 files changed, 68 deletions(-)
the tree is clean now, you can proceed.
Unable to check for sanity: > no match for package: dev-java/maven-bin-3.8.1
