You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by Brian Fox <br...@infinity.nu> on 2013/02/24 18:24:55 UTC

Re: [ANN] Apache Maven 3.0.5 released

Just wanted to bring this to the users list and ensure that those reading
the release notes see the security alert for 3.0.4:

CVE-2013-0253 Apache Maven

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3

 Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity,  and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.

All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.

 Credit
This issue was identified by Graham Leggett

--
The Apache Maven Team


On Sat, Feb 23, 2013 at 9:58 AM, Olivier Lamy <ol...@apache.org> wrote:

> Hello,
>
> The Apache Maven team is pleased to announce the release of Apache Maven
> 3.0.5
>
> Release notes available:
> http://maven.apache.org/docs/3.0.5/release-notes.html .
>
> Maven is a project comprehension and build tool, designed to simplify
> the process of maintaining a healthy development lifecycle for your
> project.
>
> You can read more here:
>
>     http://maven.apache.org/
>
> Downloads of source and binary distributions are listed in our
> download  section:
>
>     http://maven.apache.org/download.html
>
> A major goal of Maven 3.0.x is to be compatible, to the extent
> possible, with existing plugins and projects designed for Maven 2.x.
> Users interested in upgrading to 3.x should have a glance at the
> compatibility notes for known differences between Maven 3.0 and Maven
> 2.x:
>
>     http://cwiki.apache.org/MAVEN/maven-3x-compatibility-notes.html
>
> Users who already use Maven 3.0.x are encouraged to update to this new
> maintenance release.
>
> If you encounter unexpected problems while using Apache Maven 3.0.5,
> please feel free to contact us via the Maven developer list:
>
>     http://maven.apache.org/mail-lists.html
>
> Release Notes - Apache Maven 2 & 3 - Version 3.0.5
>
> ** Bug
>   * [MNG-5430] - use wagon 2.4
>
>
> Have Fun!
>
> -- The Apache Maven Team.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>