You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@maven.apache.org by Olivier Lamy <ol...@apache.org> on 2013/02/23 15:59:11 UTC
[SECURITY] CVE-2013-0253 Apache Maven 3.0.4
VE-2013-0253 Apache Maven
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3
Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity, and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.
Credit
This issue was identified by Graham Leggett
--
The Apache Maven Team
Re: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
Posted by Olivier Lamy <ol...@apache.org>.
No idea but has been asked.
2013/2/23 Jason van Zyl <ja...@tesla.io>:
> When will the CVE entry be updated?
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253
>
> On Feb 23, 2013, at 9:59 AM, Olivier Lamy <ol...@apache.org> wrote:
>
>> VE-2013-0253 Apache Maven
>>
>> Severity: Medium
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> - Apache Maven 3.0.4
>> - Apache Maven Wagon 2.1, 2.2, 2.3
>>
>> Description:
>> Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
>> SSL mode by default. This mode disables all SSL certificate checking,
>> including: host name verification , date validity, and certificate
>> chain. Not validating the certificate introduces the possibility of a
>> man-in-the-middle attack.
>>
>> All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
>> Maven Wagon 2.4.
>>
>> Credit
>> This issue was identified by Graham Leggett
>>
>> --
>> The Apache Maven Team
>
> Thanks,
>
> Jason
>
> ----------------------------------------------------------
> Jason van Zyl
> Founder & CTO, Sonatype
> Founder, Apache Maven
> http://twitter.com/jvanzyl
> ---------------------------------------------------------
>
> First, the taking in of scattered particulars under one Idea,
> so that everyone understands what is being talked about ... Second,
> the separation of the Idea into parts, by dividing it at the joints,
> as nature directs, not breaking any limb in half as a bad carver might.
>
> -- Plato, Phaedrus (Notes on the Synthesis of Form by C. Alexander)
>
>
>
>
>
--
Olivier Lamy
Talend: http://coders.talend.com
http://twitter.com/olamy | http://linkedin.com/in/olamy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
Posted by Jason van Zyl <ja...@tesla.io>.
When will the CVE entry be updated?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0253
On Feb 23, 2013, at 9:59 AM, Olivier Lamy <ol...@apache.org> wrote:
> VE-2013-0253 Apache Maven
>
> Severity: Medium
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Apache Maven 3.0.4
> - Apache Maven Wagon 2.1, 2.2, 2.3
>
> Description:
> Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
> SSL mode by default. This mode disables all SSL certificate checking,
> including: host name verification , date validity, and certificate
> chain. Not validating the certificate introduces the possibility of a
> man-in-the-middle attack.
>
> All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
> Maven Wagon 2.4.
>
> Credit
> This issue was identified by Graham Leggett
>
> --
> The Apache Maven Team
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder & CTO, Sonatype
Founder, Apache Maven
http://twitter.com/jvanzyl
---------------------------------------------------------
First, the taking in of scattered particulars under one Idea,
so that everyone understands what is being talked about ... Second,
the separation of the Idea into parts, by dividing it at the joints,
as nature directs, not breaking any limb in half as a bad carver might.
-- Plato, Phaedrus (Notes on the Synthesis of Form by C. Alexander)
Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
Posted by Brian Fox <br...@infinity.nu>.
---------- Forwarded message ----------
From: Olivier Lamy <ol...@apache.org>
Date: Sat, Feb 23, 2013 at 9:59 AM
Subject: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
To: announce@apache.org, announce@maven.apache.org
Cc: Maven Developers List <de...@maven.apache.org>
VE-2013-0253 Apache Maven
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3
Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity, and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.
Credit
This issue was identified by Graham Leggett
--
The Apache Maven Team