Bug#701991: maven3: CVE-2013-0253

Arnaud Fontaine arnau at debian.org
Fri Mar 15 03:49:44 UTC 2013 

Control: reassign -1 src:wagon2
Control: tags -1 + patch

Hello,

This security issue is actually  affecting libwagon2-java as, besides of
build improvements,  maven 3.0.5 only  bumps wagon2 version from  2.2 to
2.4  (should   maven  be   rebuilt  when  a   fixed  version   has  been
uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.

According  to [0],  it  is recommended  to upgrade  to  Maven Wagon  2.4
however this  is not  really possible  as the  new version  requires (at
least,  when  testing by  changing  the  required  version, I  got  more
dependency  errors later  on) libmaven-parent-java  >= 23  which is  not
available in the archive.  Moreover, there are many unrelated changes so
the only  solution is  probably to  backport the  patches. The  issue on
Maven Wagon BTS seems to be:

https://jira.codehaus.org/browse/WAGON-385

And the patches (quite small indeed):

https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=2f7bb33852cbb9ddb4e1abaa37f282b67bf72af5
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=b5a0839e312345499c811b6eff8f9029118ca8d5

As I  don't know anything  about Maven (I'm  just hunting RC  bugs ;-)),
could you please confirm that these patches fix this issue?  I can later
NMU if it helps.

Also,  there seems  to  have  been several  other  bug fixes  (including
security-related  ones), not  sure  if they  are  really critical,  just
pointing out  what I have found  so far while checking  git history from
Maven Wagon 2.2 to 2.4:

https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=f1298163ebb9f72c618c69140f6b47c7ad6c32e5
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=31a5772aeffa38ed50355ad488f741cf48c4960a
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=d95189d00ab1e7ac79bd5b9f7d20525c2776a6a2
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=6b664d691c9a0fec8a09b77a0f57c1945691db8a
https://git-wip-us.apache.org/repos/asf?p=maven-wagon.git;a=commit;h=81c5ebb0efc4c9803a32fa81d390dc60da8905ac

Cheers,
-- 
Arnaud Fontaine

[0] http://maven.apache.org/security.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20130315/5219c50f/attachment.pgp>

More information about the pkg-java-maintainers mailing list