You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by rf...@apache.org on 2022/09/26 08:27:15 UTC
[maven-site] branch master updated: Update security.md
This is an automated email from the ASF dual-hosted git repository.
rfscholte pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-site.git
The following commit(s) were added to refs/heads/master by this push:
new 43b724c8 Update security.md
43b724c8 is described below
commit 43b724c88c9acd453ac22e0c011f3958d75e3dc6
Author: Robert Scholte <rf...@apache.org>
AuthorDate: Mon Sep 26 10:27:11 2022 +0200
Update security.md
---
content/markdown/security.md | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/content/markdown/security.md b/content/markdown/security.md
index 1c7c550d..db7f5f3f 100644
--- a/content/markdown/security.md
+++ b/content/markdown/security.md
@@ -25,6 +25,24 @@ has been fixed.
For more information about reporting vulnerabilities, see the [Apache
Security Team](https://www.apache.org/security/) page.
+### CVE-2021-26291 Apache Maven 3.8.1
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Apache Maven 3.6.3 and earlier
+
+Description: More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP.
+This makes downloads via such repository a target for a MITM attack.
+At the same time, developers are probably not aware that for some downloads an insecure URL is being used.
+Because uploaded POMs to Maven Central are immutable, a change for Maven was required.
+To solve this, we extended the mirror configuration with `<blocked>` parameter,
+and we added a new `external:http:*` mirror selector (like existing `external:*`), meaning "any external URL using HTTP".\
+The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the `conf/settings.xml` blocking insecure HTTP external URLs.
+Note: this is a vulnerability in case you're connectioning directly to remote repositories instead of using an artifact repository manager.
### Maven Dependency, EAR, Javadoc, WAR and Plugin Plugins