You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by rf...@apache.org on 2022/09/26 08:27:15 UTC

[maven-site] branch master updated: Update security.md

This is an automated email from the ASF dual-hosted git repository.

rfscholte pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 43b724c8 Update security.md
43b724c8 is described below

commit 43b724c88c9acd453ac22e0c011f3958d75e3dc6
Author: Robert Scholte <rf...@apache.org>
AuthorDate: Mon Sep 26 10:27:11 2022 +0200

    Update security.md
---
 content/markdown/security.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/content/markdown/security.md b/content/markdown/security.md
index 1c7c550d..db7f5f3f 100644
--- a/content/markdown/security.md
+++ b/content/markdown/security.md
@@ -25,6 +25,24 @@ has been fixed.
 For more information about reporting vulnerabilities, see the [Apache
 Security Team](https://www.apache.org/security/) page.
 
+### CVE-2021-26291 Apache Maven 3.8.1
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Apache Maven 3.6.3 and earlier
+
+Description: More and more repositories use HTTPS nowadays, but this hasn't always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP.
+This makes downloads via such repository a target for a MITM attack. 
+At the same time, developers are probably not aware that for some downloads an insecure URL is being used. 
+Because uploaded POMs to Maven Central are immutable, a change for Maven was required.
+To solve this, we extended the mirror configuration with `<blocked>` parameter,
+and we added a new `external:http:*` mirror selector (like existing `external:*`), meaning "any external URL using HTTP".\
+The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the `conf/settings.xml` blocking insecure HTTP external URLs.
+Note: this is a vulnerability in case you're connectioning directly to remote repositories instead of using an artifact repository manager.
 
 ### Maven Dependency, EAR, Javadoc, WAR and Plugin Plugins