Ubuntu
maven-resolver package

Apache Maven Multiple Security Bypass Vulnerabilities

Bug #1922654 reported by it0001 on 2021-04-06

270

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	httpcomponents-client (Ubuntu)	Fix Released	Undecided	Unassigned
	maven (Ubuntu)	Fix Released	Undecided	Unassigned
	maven-resolver (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

CVE Numbers

CVE‑2021‑26291 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26291> , CVE‑2020‑13956 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956>

Description

Multiple vulnerabilities have been reported in Apache Maven, which can be exploited by malicious people to bypass certain security restrictions.

1

An error when resolving custom repositories in dependency POMs over HTTP instead of HTTPS can be exploited to e.g. conduct a MitM (Man-in-the-Middle) attack.

The vulnerabilities are reported in versions prior to 3.8.1.

Affected Software

The following software is affected by the described vulnerability. Please check the vendor links below to see if exactly your version is affected.

Solution

Update to version 3.8.1.

References

1. http://maven.apache.org/docs/3.8.1/release-notes.html <http://maven.apache.org/docs/3.8.1/release-notes.html>

Please provide a solution as soon as possible.

See original description

CVE References

it0001 (it0001-escrypt) on 2021-04-06

description:

updated

Seth Arnold (seth-arnold) on 2021-04-06

information type:

Private Security → Public Security

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2021-04-20:

#1

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the packages referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in httpcomponents-client (Ubuntu):
status:	New → Confirmed
Changed in maven (Ubuntu):
status:	New → Confirmed

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2023-09-03:

#2

maven_focal.debdiff Edit (14.9 KiB, text/plain)

Changed in maven (Ubuntu):
assignee:	nobody → Luís Infante da Câmara (luis220413)

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2023-09-03:

#3

maven_jammy.debdiff Edit (14.2 KiB, text/plain)

Changed in maven (Ubuntu):
assignee:	Luís Infante da Câmara (luis220413) → nobody

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2023-09-04:

#4

That is already fixed under Ubuntu Pro:
https://ubuntu.com/security/notices/USN-5245-1
https://ubuntu.com/security/notices/USN-5239-1

Changed in maven (Ubuntu):
status:	Confirmed → Fix Released
Changed in httpcomponents-client (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2023-09-13:

#5

maven-resolver_focal.debdiff Edit (11.1 KiB, text/plain)

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2023-09-13:

#6

maven-resolver_jammy.debdiff Edit (10.5 KiB, text/plain)

Changed in maven-resolver (Ubuntu):
status:	New → Fix Released

Revision history for this message

Vladimir Petko (vpa1977) wrote on 2023-09-17:

#7

I have tried to apply debdiff for maven_focal.debdiff[1]

--------------------
$ debdiff-apply < ../maven_focal.debdiff
Traceback (most recent call last):
  File "/usr/bin/debdiff-apply", line 382, in <module>
    sys.exit(main(sys.argv[1:]))
             ^^^^^^^^^^^^^^^^^^
  File "/usr/bin/debdiff-apply", line 312, in main
    patch = unidiff.PatchSet(data.splitlines(keepends=True), encoding=enc)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/unidiff/patch.py", line 460, in __init__
    self._parse(data, encoding=encoding, metadata_only=metadata_only)
  File "/usr/lib/python3/dist-packages/unidiff/patch.py", line 548, in _parse
    current_file._parse_hunk(line, diff, encoding, metadata_only)
  File "/usr/lib/python3/dist-packages/unidiff/patch.py", line 316, in _parse_hunk
    raise UnidiffParseError(
unidiff.errors.UnidiffParseError: Hunk diff line expected: diff -Nru maven-3.6.3/debian/control maven-3.6.3/debian/control

--------------------

[1] https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1922654/+attachment/5697379/+files/maven_focal.debdiff

Revision history for this message

Luís Infante da Câmara (luis220413) wrote on 2023-09-18:

#8

v2 debdiff Edit (14.9 KiB, text/plain)

Revision history for this message

Eduardo Barretto (ebarretto) wrote on 2023-09-18 (last edit on 2023-09-18):

#9

This patch is not acceptable as you are trying to fix a security issue (already fixed) and a bug issue. Please only upload a debdiff for the bug issue.
Also create a new ticket for that, as this one if for the security issue and that was already fixed.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.