From owner-dev-commits-ports-all@freebsd.org Mon Apr 19 04:11:41 2021 Return-Path: Delivered-To: dev-commits-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C2F455E0BDD; Mon, 19 Apr 2021 04:11:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FNtg14v4Sz4stl; Mon, 19 Apr 2021 04:11:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 93F5318B48; Mon, 19 Apr 2021 04:11:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 13J4BfjW096513; Mon, 19 Apr 2021 04:11:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 13J4BfrC096512; Mon, 19 Apr 2021 04:11:41 GMT (envelope-from git) Date: Mon, 19 Apr 2021 04:11:41 GMT Message-Id: <202104190411.13J4BfrC096512@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Kevin Bowling Subject: git: 887cfadcdf5e - main - devel/maven: update to 3.8.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kbowling X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 04:11:41 -0000 The branch main has been updated by kbowling: URL: https://cgit.FreeBSD.org/ports/commit/?id=887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 commit 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 Author: Kevin Bowling AuthorDate: 2021-04-19 04:05:30 +0000 Commit: Kevin Bowling CommitDate: 2021-04-19 04:11:34 +0000 devel/maven: update to 3.8.1 This is not just a bugfix as it contains three features that cause a change of default behavior (external HTTP insecure URLs are now blocked by default): your builds may fail when using this new Maven release, if you use now blocked repositories. Please check and eventually fix before upgrading. Changes http://maven.apache.org/docs/3.8.1/release-notes.html PR: 255161 Approved by: Jonathan Chen (maintainer) Security: CVE-2021-26291 CVE-2020-13956 --- devel/maven/Makefile | 2 +- devel/maven/distinfo | 6 ++--- devel/maven/pkg-plist | 18 ++++++------- security/vuxml/vuln.xml | 67 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 80 insertions(+), 13 deletions(-) diff --git a/devel/maven/Makefile b/devel/maven/Makefile index 42cac2993d5e..d2d77f4a1028 100644 --- a/devel/maven/Makefile +++ b/devel/maven/Makefile @@ -1,7 +1,7 @@ # Created by: JonathanChen PORTNAME= maven -DISTVERSION= 3.6.3 +DISTVERSION= 3.8.1 CATEGORIES= devel java MASTER_SITES= APACHE/maven/maven-3/${DISTVERSION}/binaries DISTNAME= apache-maven-${DISTVERSION}-bin diff --git a/devel/maven/distinfo b/devel/maven/distinfo index 4912d96568fe..57ad8a2cf1ef 100644 --- a/devel/maven/distinfo +++ b/devel/maven/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1575665365 -SHA256 (apache-maven-3.6.3-bin.tar.gz) = 26ad91d751b3a9a53087aefa743f4e16a17741d3915b219cf74112bf87a438c5 -SIZE (apache-maven-3.6.3-bin.tar.gz) = 9506321 +TIMESTAMP = 1618695108 +SHA256 (apache-maven-3.8.1-bin.tar.gz) = b98a1905eb554d07427b2e5509ff09bd53e2f1dd7a0afa38384968b113abef02 +SIZE (apache-maven-3.8.1-bin.tar.gz) = 9536838 diff --git a/devel/maven/pkg-plist b/devel/maven/pkg-plist index 4f40a59ef93a..3988d3cd5e82 100644 --- a/devel/maven/pkg-plist +++ b/devel/maven/pkg-plist @@ -45,13 +45,13 @@ %%DATADIR%%/lib/maven-model-builder-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-plugin-api-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-repository-metadata-%%PORTVERSION%%.jar -%%DATADIR%%/lib/maven-resolver-api-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-connector-basic-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-impl-1.4.1.jar +%%DATADIR%%/lib/maven-resolver-api-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-connector-basic-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-impl-1.6.2.jar %%DATADIR%%/lib/maven-resolver-provider-%%PORTVERSION%%.jar -%%DATADIR%%/lib/maven-resolver-spi-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-transport-wagon-1.4.1.jar -%%DATADIR%%/lib/maven-resolver-util-1.4.1.jar +%%DATADIR%%/lib/maven-resolver-spi-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-transport-wagon-1.6.2.jar +%%DATADIR%%/lib/maven-resolver-util-1.6.2.jar %%DATADIR%%/lib/maven-settings-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-settings-builder-%%PORTVERSION%%.jar %%DATADIR%%/lib/maven-shared-utils-3.2.1.jar @@ -72,7 +72,7 @@ %%DATADIR%%/lib/plexus-utils.license %%DATADIR%%/lib/slf4j-api-1.7.29.jar %%DATADIR%%/lib/slf4j-api.license -%%DATADIR%%/lib/wagon-file-3.3.4.jar -%%DATADIR%%/lib/wagon-http-3.3.4-shaded.jar -%%DATADIR%%/lib/wagon-provider-api-3.3.4.jar +%%DATADIR%%/lib/wagon-file-3.4.3.jar +%%DATADIR%%/lib/wagon-http-3.4.3-shaded.jar +%%DATADIR%%/lib/wagon-provider-api-3.4.3.jar %%DATADIR%%/maven-%%PORTVERSION%% diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 3359ddc18d34..97c9911ca975 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,73 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + Apache Maven -- multiple vulnerabilities + + + maven + 3.8.1 + + + + +

The Apache Maven project reports:

+
+

We received a report from Jonathan Leitschuh about a vulnerability + of custom repositories in dependency POMs. We've split this up + into three separate issues:

+
    +
  • Possible Man-In-The-Middle-Attack due to custom repositories + using HTTP. + + More and more repositories use HTTPS nowadays, but this + hasn't always been the case. This means that Maven Central contains + POMs with custom repositories that refer to a URL over HTTP. This + makes downloads via such repository a target for a MITM attack. At + the same time, developers are probably not aware that for some + downloads an insecure URL is being used. Because uploaded POMs to + Maven Central are immutable, a change for Maven was required. To + solve this, we extended the mirror configuration with blocked + parameter, and we added a new external:http:* mirror selector (like + existing external:*), meaning "any external URL using HTTP". + + The decision was made to block such external HTTP repositories by default: + this is done by providing a mirror in the conf/settings.xml blocking + insecure HTTP external URLs.
    • +
  • Possible Domain Hijacking due to custom repositories using abandoned + domains + + Sonatype has analyzed which domains were abandoned and has claimed these + domains.
    • +
  • Possible hijacking of downloads by redirecting to custom repositories + + This one was the hardest to analyze and explain. The short story is: + you're safe, dependencies are only downloaded from repositories within + their context. So there are two main questions: what is the context and + what is the order? The order is described on the Repository Order page. + The first group of repositories are defined in the settings.xml (both user + and global). The second group of repositories are based on inheritence, + with ultimately the super POM containing the URL to Maven Central. The + third group is the most complex one but is important to understand the + term context: repositories from the effective POMs from the dependency + path to the artifact. So if a dependency was defined by another dependency + or by a Maven project, it will also include their repositories. In the end + this is not a bug, but a design feature.
    • +
+
+ + + + http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291 + CVE-2021-26291 + CVE-2020-13956 + + + 2021-04-04 + 2021-04-19 + + + Consul -- Multiple vulnerabilities