Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 785478 (CVE-2021-26291) - <dev-java/maven-bin-3.8.1: pom dependencies using HTTP by default
Summary: <dev-java/maven-bin-3.8.1: pom dependencies using HTTP by default
Status: IN_PROGRESS
Alias: CVE-2021-26291
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.apache.org/thread.html/...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-25 03:52 UTC by John Helmert III
Modified: 2021-09-24 06:52 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/maven-bin-3.8.1
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-25 03:52:07 UTC
CVE-2021-26291:

Apache Maven may follow repositories that are defined in a
dependency’s Project Object Model (pom) which may be surprising to
some users, resulting in potential risk if a malicious actor takes
over that repository or is able to insert themselves into a position
to pretend to be that repository. Maven is changing the default
behavior to no longer follow http (non-SSL) repository references by
default in version 3.8.1


Maintainers, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-25 07:55:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20c6d4a5c0ca051049538209265371773be09ece

commit 20c6d4a5c0ca051049538209265371773be09ece
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-25 07:55:43 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-25 07:55:43 +0000

    dev-java/maven-bin: bump to 3.8.1
    
    Bug: https://bugs.gentoo.org/785478
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/maven-bin/Manifest               |  1 +
 dev-java/maven-bin/maven-bin-3.8.1.ebuild | 67 +++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
Comment 2 Miroslav Šulc gentoo-dev 2021-04-25 07:56:37 UTC
should i drop all the older versions? upstream still did not eol them: http://maven.apache.org/docs/history.html
Comment 3 John Helmert III gentoo-dev Security 2021-04-25 23:36:18 UTC
(In reply to Miroslav Šulc from comment #2)
> should i drop all the older versions? upstream still did not eol them:
> http://maven.apache.org/docs/history.html

If possible, please do! Though if upstream is keeping versions with known security issues I wonder if they should be nagged about it or if there are backported patches that I've not noticed.

We'll also need to stable the new version before cleanup can happen, it seems?
Comment 4 Larry the Git Cow gentoo-dev 2021-04-26 05:06:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058757e589985848f0ad10fed9253b6fdbace5d1

commit 058757e589985848f0ad10fed9253b6fdbace5d1
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-26 05:05:46 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-26 05:05:46 +0000

    dev-java/maven-bin: removed most obsolete and vulnerable versions
    
    Bug: https://bugs.gentoo.org/785478
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/maven-bin/Manifest                  |  3 --
 dev-java/maven-bin/maven-bin-3.1.1-r1.ebuild | 59 ----------------------------
 dev-java/maven-bin/maven-bin-3.2.5-r1.ebuild | 58 ---------------------------
 dev-java/maven-bin/maven-bin-3.3.9-r1.ebuild | 59 ----------------------------
 4 files changed, 179 deletions(-)
Comment 5 Miroslav Šulc gentoo-dev 2021-04-26 05:08:11 UTC
i removed most of the versions except the last stable. we can now proceed with stabilization of the unaffected version, once stabilized i'll remove the last affected.
Comment 6 Sam James archtester gentoo-dev Security 2021-04-26 19:08:00 UTC
amd64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-04-26 19:09:31 UTC
x86 done

all arches done
Comment 8 John Helmert III gentoo-dev Security 2021-04-26 23:42:37 UTC
Thanks! Please cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2021-04-27 05:33:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05c2cdefba5604efaf3602af4272cc970218b042

commit 05c2cdefba5604efaf3602af4272cc970218b042
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-04-27 05:33:36 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-04-27 05:33:36 +0000

    dev-java/maven-bin: removed obsolete and vulnerable 3.6.3
    
    Bug: https://bugs.gentoo.org/785478
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/maven-bin/Manifest               |  1 -
 dev-java/maven-bin/maven-bin-3.6.3.ebuild | 67 -------------------------------
 2 files changed, 68 deletions(-)
Comment 10 Miroslav Šulc gentoo-dev 2021-04-27 05:34:25 UTC
the tree is clean now, you can proceed.
Comment 11 NATTkA bot gentoo-dev 2021-09-24 06:52:53 UTC
Unable to check for sanity:

> no match for package: dev-java/maven-bin-3.8.1