Bug#701991: maven3: CVE-2013-0253

Niels Thykier niels at thykier.net
Sat Mar 16 12:38:04 UTC 2013 

Control: reassign -1 src:wagon2
Control: tags -1 + patch

Hi,

The email does not appear to have reached the BTS, so I am resending it
(and quoting it in full).

~Niels

On 2013-03-15 04:49, Arnaud Fontaine wrote:
> Control: reassign -1 src:wagon2
> Control: tags -1 + patch
> 
> Hello,
> 
> This security issue is actually  affecting libwagon2-java as, besides of
> build improvements,  maven 3.0.5 only  bumps wagon2 version from  2.2 to
> 2.4  (should   maven  be   rebuilt  when  a   fixed  version   has  been
> uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.
> 
> According  to [0],  it  is recommended  to upgrade  to  Maven Wagon  2.4
> however this  is not  really possible  as the  new version  requires (at
> least,  when  testing by  changing  the  required  version, I  got  more
> dependency  errors later  on) libmaven-parent-java  >= 23  which is  not
> available in the archive.  Moreover, there are many unrelated changes so
> the only  solution is  probably to  backport the  patches. The  issue on
> Maven Wagon BTS seems to be:
> 
> https://jira.codehaus.org/browse/WAGON-385
> 
> And the patches (quite small indeed):
> 
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5
> 
> As I  don't know anything  about Maven (I'm  just hunting RC  bugs ;-)),
> could you please confirm that these patches fix this issue?  I can later
> NMU if it helps.
> 
> Also,  there seems  to  have  been several  other  bug fixes  (including
> security-related  ones), not  sure  if they  are  really critical,  just
> pointing out  what I have found  so far while checking  git history from
> Maven Wagon 2.2 to 2.4:
> 
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a
> https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac
> 
> Cheers,
> 
> 
> 
> __
> This is the maintainer address of Debian's Java team
> <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use
> debian-java at lists.debian.org for discussions and questions.

More information about the pkg-java-maintainers mailing list