Date: Mon, 19 Apr 2021 04:11:41 GMT From: Kevin Bowling <kbowling@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1 Message-ID: <202104190411.13J4BfrC096512@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kbowling: URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 Author: Kevin Bowling <kbowling@FreeBSD.org> AuthorDate: 2021-04-19 04:05:30 +0000 Commit: Kevin Bowling <kbowling@FreeBSD.org> CommitDate: 2021-04-19 04:11:34 +0000 devel/maven: update to 3.8.1 This is not just a bugfix as it contains three features that cause a change of default behavior (external HTTP insecure URLs are now blocked by default): your builds may fail when using this new Maven release, if you use now blocked repositories. Please check and eventually fix before upgrading. Changes http://maven.apache.org/docs/3.8.1/release-notes.html PR: 255161 Approved by: Jonathan Chen <jonc@chen.org.nz> (maintainer) Security: CVE-2021-26291 CVE-2020-13956 --- devel/maven/Makefile | 2 +- devel/maven/distinfo | 6 ++--- devel/maven/pkg-plist | 18 ++++++------- security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 80 insertions(+), 13 deletions(-) diff --git a/devel/maven/Makefile b/devel/maven/Makefile index 42cac2993d5e..d2d77f4a1028 100644 --- a/devel/maven/Makefile +++ b/devel/maven/Makefile @@ -1,7 +1,7 @@ # Created by: JonathanChen <jonc@chen.org.nz> PORTNAME= maven -DISTVERSION= 3.6.3 +DISTVERSION= 3.8.1 CATEGORIES= devel java MASTER_SITES= APACHE/maven/maven-3/${DISTVERSION}/binaries DISTNAME= apache-maven-${DISTVERSION}-bin diff --git a/devel/maven/distinfo b/devel/maven/distinfo index 4912d96568fe..57ad8a2cf1ef 100644 --- a/devel/maven/distinfo +++ b/devel/maven/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1575665365 -SHA256 (apache-maven-3.6.3-bin.tar.gz) = 26ad91d751b3a9a53087aefa743f4e16a17741d3915b219cf74112bf87a438c5 -SIZE (apache-maven-3.6.3-bin.tar.gz) = 9506321 +TIMESTAMP = 1618695108 +SHA256 (apache-maven-3.8.1-bin.tar.gz) = b98a1905eb554d07427b2e5509ff09bd53e2f1dd7a0afa38384968b113abef02 +SIZE (apache-maven-3.8.1-bin.tar.gz) = 9536838 diff --git a/devel/maven/pkg-plist b/devel/maven/pkg-plist index 4f40a59ef93a..3988d3cd5e82 100644 --- a/devel/maven/pkg-plist +++ b/devel/maven/pkg-plist @@ -45,13 +45,13 @@ %%DATADIR%%/lib/maven-model-builder-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-plugin-api-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-repository-metadata-%%PORTVERSION%%.jar -%%DATADIR%%/lib/maven-resolver-api-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-connector-basic-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-impl-1.4.1.jar +%%DATADIR%%/lib/maven-resolver-api-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-connector-basic-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-impl-1.6.2.jar %%DATADIR%%/lib/maven-resolver-provider-%%PORTVERSION%%.jar -%%DATADIR%%/lib/maven-resolver-spi-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-transport-wagon-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-util-1.4.1.jar +%%DATADIR%%/lib/maven-resolver-spi-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-transport-wagon-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-util-1.6.2.jar %%DATADIR%%/lib/maven-settings-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-settings-builder-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-shared-utils-3.2.1.jar @@ -72,7 +72,7 @@ %%DATADIR%%/lib/plexus-utils.license %%DATADIR%%/lib/slf4j-api-1.7.29.jar %%DATADIR%%/lib/slf4j-api.license -%%DATADIR%%/lib/wagon-file-3.3.4.jar -%%DATADIR%%/lib/wagon-http-3.3.4-shaded.jar -%%DATADIR%%/lib/wagon-provider-api-3.3.4.jar +%%DATADIR%%/lib/wagon-file-3.4.3.jar +%%DATADIR%%/lib/wagon-http-3.4.3-shaded.jar +%%DATADIR%%/lib/wagon-provider-api-3.4.3.jar %%DATADIR%%/maven-%%PORTVERSION%% diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 3359ddc18d34..97c9911ca975 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,73 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a"> + <topic>Apache Maven -- multiple vulnerabilities</topic> + <affects> + <package> + <name>maven</name> + <range><lt>3.8.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The Apache Maven project reports:</p> + <blockquote cite="http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291">; + <p>We received a report from Jonathan Leitschuh about a vulnerability + of custom repositories in dependency POMs. We've split this up + into three separate issues:</p> + <ul> + <li>Possible Man-In-The-Middle-Attack due to custom repositories + using HTTP. + + More and more repositories use HTTPS nowadays, but this + hasn't always been the case. This means that Maven Central contains + POMs with custom repositories that refer to a URL over HTTP. This + makes downloads via such repository a target for a MITM attack. At + the same time, developers are probably not aware that for some + downloads an insecure URL is being used. Because uploaded POMs to + Maven Central are immutable, a change for Maven was required. To + solve this, we extended the mirror configuration with blocked + parameter, and we added a new external:http:* mirror selector (like + existing external:*), meaning "any external URL using HTTP". + + The decision was made to block such external HTTP repositories by default: + this is done by providing a mirror in the conf/settings.xml blocking + insecure HTTP external URLs.</li> + <li>Possible Domain Hijacking due to custom repositories using abandoned + domains + + Sonatype has analyzed which domains were abandoned and has claimed these + domains.</li> + <li>Possible hijacking of downloads by redirecting to custom repositories + + This one was the hardest to analyze and explain. The short story is: + you're safe, dependencies are only downloaded from repositories within + their context. So there are two main questions: what is the context and + what is the order? The order is described on the Repository Order page. + The first group of repositories are defined in the settings.xml (both user + and global). The second group of repositories are based on inheritence, + with ultimately the super POM containing the URL to Maven Central. The + third group is the most complex one but is important to understand the + term context: repositories from the effective POMs from the dependency + path to the artifact. So if a dependency was defined by another dependency + or by a Maven project, it will also include their repositories. In the end + this is not a bug, but a design feature.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <url>http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291</url>; + <cvename>CVE-2021-26291</cvename> + <cvename>CVE-2020-13956</cvename> + </references> + <dates> + <discovery>2021-04-04</discovery> + <entry>2021-04-19</entry> + </dates> + </vuln> + <vuln vid="093a6baf-9f99-11eb-b150-000c292ee6b8"> <topic>Consul -- Multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104190411.13J4BfrC096512>