You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@curator.apache.org by "Jordan Zimmerman (JIRA)" <ji...@apache.org> on 2019/05/22 14:21:00 UTC
[jira] [Updated] (CURATOR-522) Update all URLs in our POMs to https
[ https://issues.apache.org/jira/browse/CURATOR-522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jordan Zimmerman updated CURATOR-522:
-------------------------------------
Description:
Apache is asking us to review our build files and make sure we're using https for all URLs.
Full Apache email:
{panel}
ASF Security received a report that a number of Apache projects have
build dependencies downloaded using insecure urls. The reporter states
this could be used in conjunction with a man-in-the-middle attack to
compromise project builds. The reporter claims this a significant
issue and will be making an announcement on June 10th and a number of
press releases and industry reaction is expected.
We have already contacted each of the projects the reporter detected.
However we have not run any scanning ourselves to identify any other
instances hence this email.
We request that you review any build scripts and configurations for
insecure urls where appropriate to your projects, fix them asap, and
report back if you had to change anything to security@apache.org by
the 31st May 2019.
The most common finding was HTTP references to repos like maven.org in
build files (Gradle, Maven, SBT, or other tools). Here is an example
showing repositories being used with http urls that should be changed
to https:
https://github.com/apache/flink/blob/d1542e9561c6235feb902c9c6d781ba416b8f784/pom.xml#L1017-L1038
Note that searching for http:// might not be enough, look for http\://
too due to escaping.
Although this issue is public on June 10th, please make fixes to
insecure urls immediately. Also note that some repos will be moving
to blocking http transfers in June and later:
https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/
The reporter claims that a full audit of affected projects is required
to ensure builds were not made with tampered dependencies, and that
CVE names should be given to each project, however we are not
requiring this -- we believe it’s more likely a third party repo could
be compromised with a malicious build than a MITM attack. If you
disagree, let us know. Projects like Lucene do checksum whitelists of
all their build dependencies, and you may wish to consider that as a
protection against threats beyond just MITM.
Best Regards,
Mark J Cox
VP, ASF Security Team
{panel}
was:Apache is asking us to review our build files and make sure we're using https for all URLs.
> Update all URLs in our POMs to https
> ------------------------------------
>
> Key: CURATOR-522
> URL: https://issues.apache.org/jira/browse/CURATOR-522
> Project: Apache Curator
> Issue Type: Improvement
> Components: General
> Affects Versions: 4.2.0
> Reporter: Jordan Zimmerman
> Priority: Major
> Fix For: 4.2.1
>
>
> Apache is asking us to review our build files and make sure we're using https for all URLs.
> Full Apache email:
> {panel}
> ASF Security received a report that a number of Apache projects have
> build dependencies downloaded using insecure urls. The reporter states
> this could be used in conjunction with a man-in-the-middle attack to
> compromise project builds. The reporter claims this a significant
> issue and will be making an announcement on June 10th and a number of
> press releases and industry reaction is expected.
> We have already contacted each of the projects the reporter detected.
> However we have not run any scanning ourselves to identify any other
> instances hence this email.
> We request that you review any build scripts and configurations for
> insecure urls where appropriate to your projects, fix them asap, and
> report back if you had to change anything to security@apache.org by
> the 31st May 2019.
> The most common finding was HTTP references to repos like maven.org in
> build files (Gradle, Maven, SBT, or other tools). Here is an example
> showing repositories being used with http urls that should be changed
> to https:
> https://github.com/apache/flink/blob/d1542e9561c6235feb902c9c6d781ba416b8f784/pom.xml#L1017-L1038
> Note that searching for http:// might not be enough, look for http\://
> too due to escaping.
> Although this issue is public on June 10th, please make fixes to
> insecure urls immediately. Also note that some repos will be moving
> to blocking http transfers in June and later:
> https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/
> The reporter claims that a full audit of affected projects is required
> to ensure builds were not made with tampered dependencies, and that
> CVE names should be given to each project, however we are not
> requiring this -- we believe it’s more likely a third party repo could
> be compromised with a malicious build than a MITM attack. If you
> disagree, let us know. Projects like Lucene do checksum whitelists of
> all their build dependencies, and you may wish to consider that as a
> protection against threats beyond just MITM.
> Best Regards,
> Mark J Cox
> VP, ASF Security Team
> {panel}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)