diff -Nru maven-3.6.3/debian/changelog maven-3.6.3/debian/changelog --- maven-3.6.3/debian/changelog 2020-01-27 21:19:47.000000000 +0000 +++ maven-3.6.3/debian/changelog 2023-09-03 11:50:49.000000000 +0100 @@ -1,3 +1,401 @@ +maven (3.6.3-1ubuntu0.1) focal-security; urgency=medium + + * SECURITY UPDATE: Insufficient verification of data authenticity + (LP: #1922654) + - debian/patches/CVE-2021-26291-1.patch: Add support for blocking mirrors. + - debian/patches/CVE-2021-26291-2.patch: Add support for mirrorOf + external:http:*. + - debian/patches/CVE-2021-26291-3.patch: Block HTTP repositories by default. + - CVE-2021-26291 + * debian/maven.links: Change /usr/share/maven/lib/guice.jar to point to + /usr/share/maven-repo/com/google/inject/guice/debian/guice-debian-no_aop.jar + (LP: #1930541). + + -- Luís Infante da Câmara Sun, 03 Sep 2023 11:50:49 +0100 + maven (3.6.3-1) unstable; urgency=medium * Team upload. diff -Nru maven-3.6.3/debian/control maven-3.6.3/debian/control --- maven-3.6.3/debian/control 2020-01-27 19:17:49.000000000 +0000 +++ maven-3.6.3/debian/control 2023-09-03 11:50:49.000000000 +0100 @@ -1,7 +1,8 @@ Source: maven Section: java Priority: optional -Maintainer: Debian Java Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Emmanuel Bourg , Stephen Kitt diff -Nru maven-3.6.3/debian/maven.links maven-3.6.3/debian/maven.links --- maven-3.6.3/debian/maven.links 2020-01-27 19:15:01.000000000 +0000 +++ maven-3.6.3/debian/maven.links 2023-09-03 11:50:49.000000000 +0100 @@ -26,7 +26,7 @@ /usr/share/java/plexus-sec-dispatcher.jar /usr/share/maven/lib/plexus-sec-dispatcher.jar /usr/share/java/plexus-utils2.jar /usr/share/maven/lib/plexus-utils.jar /usr/share/java/guava.jar /usr/share/maven/lib/guava.jar -/usr/share/java/guice.jar /usr/share/maven/lib/guice.jar +/usr/share/maven-repo/com/google/inject/guice/debian/guice-debian-no_aop.jar /usr/share/maven/lib/guice.jar /usr/share/java/sisu-inject.jar /usr/share/maven/lib/sisu-inject.jar /usr/share/java/sisu-plexus.jar /usr/share/maven/lib/sisu-plexus.jar /usr/share/java/slf4j-api.jar /usr/share/maven/lib/slf4j-api.jar diff -Nru maven-3.6.3/debian/patches/CVE-2021-26291-1.patch maven-3.6.3/debian/patches/CVE-2021-26291-1.patch --- maven-3.6.3/debian/patches/CVE-2021-26291-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ maven-3.6.3/debian/patches/CVE-2021-26291-1.patch 2023-09-03 11:50:49.000000000 +0100 @@ -0,0 +1,70 @@ +From 28b4ea92d38365d0f27a5bd044ac4927580147f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= +Date: Sat, 13 Mar 2021 18:00:59 +0100 +Subject: [PATCH] [MNG-7117] add support for blocked mirror + +--- + .../DefaultRepositorySystemSessionFactory.java | 4 ++-- + maven-settings/pom.xml | 2 +- + maven-settings/src/main/mdo/settings.mdo | 13 +++++++++++++ + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java b/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java +index 86cb55143c4..bbefc610b72 100644 +--- a/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java ++++ b/maven-core/src/main/java/org/apache/maven/internal/aether/DefaultRepositorySystemSessionFactory.java +@@ -188,8 +188,8 @@ else if ( request.isUpdateSnapshots() ) + DefaultMirrorSelector mirrorSelector = new DefaultMirrorSelector(); + for ( Mirror mirror : request.getMirrors() ) + { +- mirrorSelector.add( mirror.getId(), mirror.getUrl(), mirror.getLayout(), false, mirror.getMirrorOf(), +- mirror.getMirrorOfLayouts() ); ++ mirrorSelector.add( mirror.getId(), mirror.getUrl(), mirror.getLayout(), false, mirror.isBlocked(), ++ mirror.getMirrorOf(), mirror.getMirrorOfLayouts() ); + } + session.setMirrorSelector( mirrorSelector ); + +diff --git a/maven-settings/pom.xml b/maven-settings/pom.xml +index 83288e5f540..4405e5c8979 100644 +--- a/maven-settings/pom.xml ++++ b/maven-settings/pom.xml +@@ -46,7 +46,7 @@ under the License. + org.codehaus.modello + modello-maven-plugin + +- 1.1.0 ++ 1.2.0 + + src/main/mdo/settings.mdo + +diff --git a/maven-settings/src/main/mdo/settings.mdo b/maven-settings/src/main/mdo/settings.mdo +index 333d8bd7ac8..b0498df43a4 100644 +--- a/maven-settings/src/main/mdo/settings.mdo ++++ b/maven-settings/src/main/mdo/settings.mdo +@@ -633,6 +633,15 @@ + of the mirror to repositories with a matching layout (apart from a matching id). Since Maven 3. + + ++ ++ blocked ++ 1.2.0+ ++ boolean ++ false ++ ++ Whether this mirror should be blocked from any download request but fail the download process, explaining why. ++ ++ + + + +@@ -648,6 +657,10 @@ + sb.append( ",mirrorOf=" ).append( mirrorOf ); + sb.append( ",url=" ).append( this.url ); + sb.append( ",name=" ).append( this.name ); ++ if ( isBlocked() ) ++ { ++ sb.append( ",blocked" ); ++ } + sb.append( "]" ); + return sb.toString(); + } diff -Nru maven-3.6.3/debian/patches/CVE-2021-26291-2.patch maven-3.6.3/debian/patches/CVE-2021-26291-2.patch --- maven-3.6.3/debian/patches/CVE-2021-26291-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ maven-3.6.3/debian/patches/CVE-2021-26291-2.patch 2023-09-03 11:50:49.000000000 +0100 @@ -0,0 +1,148 @@ +From 3b21386c3f1ab85060f6c950fb2fb17123df8647 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= +Date: Sat, 13 Mar 2021 18:40:48 +0100 +Subject: [PATCH] [MNG-7116] add support for mirrorOf external:http:* + +--- + +From 3b21386c3f1ab85060f6c950fb2fb17123df8647 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= +Date: Sat, 13 Mar 2021 18:40:48 +0100 +Subject: [PATCH] [MNG-7116] add support for mirrorOf external:http:* + +--- + .../repository/DefaultMirrorSelector.java | 41 +++++++++++++++++-- + .../maven/bridge/MavenRepositorySystem.java | 39 +++++++++++++++++- + 2 files changed, 75 insertions(+), 5 deletions(-) + +--- maven-3.6.3.orig/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java ++++ maven-3.6.3/maven-compat/src/main/java/org/apache/maven/repository/DefaultMirrorSelector.java +@@ -41,6 +41,8 @@ public class DefaultMirrorSelector + + private static final String EXTERNAL_WILDCARD = "external:*"; + ++ private static final String EXTERNAL_HTTP_WILDCARD = "external:http:*"; ++ + public Mirror getMirror( ArtifactRepository repository, List mirrors ) + { + String repoId = repository.getId(); +@@ -115,6 +117,12 @@ public class DefaultMirrorSelector + result = true; + // don't stop processing in case a future segment explicitly excludes this repo + } ++ // check for external:http:* ++ else if ( EXTERNAL_HTTP_WILDCARD.equals( repo ) && isExternalHttpRepo( originalRepository ) ) ++ { ++ result = true; ++ // don't stop processing in case a future segment explicitly excludes this repo ++ } + else if ( WILDCARD.equals( repo ) ) + { + result = true; +@@ -136,8 +144,34 @@ public class DefaultMirrorSelector + try + { + URL url = new URL( originalRepository.getUrl() ); +- return !( url.getHost().equals( "localhost" ) || url.getHost().equals( "127.0.0.1" ) +- || url.getProtocol().equals( "file" ) ); ++ return !( isLocal( url.getHost() ) || url.getProtocol().equals( "file" ) ); ++ } ++ catch ( MalformedURLException e ) ++ { ++ // bad url just skip it here. It should have been validated already, but the wagon lookup will deal with it ++ return false; ++ } ++ } ++ ++ private static boolean isLocal( String host ) ++ { ++ return "localhost".equals( host ) || "127.0.0.1".equals( host ); ++ } ++ ++ /** ++ * Checks the URL to see if this repository refers to a non-localhost repository using HTTP. ++ * ++ * @param originalRepository ++ * @return true if external. ++ */ ++ static boolean isExternalHttpRepo( ArtifactRepository originalRepository ) ++ { ++ try ++ { ++ URL url = new URL( originalRepository.getUrl() ); ++ return ( "http".equalsIgnoreCase( url.getProtocol() ) || "dav".equalsIgnoreCase( url.getProtocol() ) ++ || "dav:http".equalsIgnoreCase( url.getProtocol() ) ++ || "dav+http".equalsIgnoreCase( url.getProtocol() ) ) && !isLocal( url.getHost() ); + } + catch ( MalformedURLException e ) + { +@@ -146,7 +180,7 @@ public class DefaultMirrorSelector + } + } + +- static boolean matchesLayout( ArtifactRepository repository, Mirror mirror ) ++ static boolean matchesLayout( ArtifactRepository repository, Mirror mirror ) + { + return matchesLayout( RepositoryUtils.getLayout( repository ), mirror.getMirrorOfLayouts() ); + } +--- maven-3.6.3.orig/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java ++++ maven-3.6.3/maven-core/src/main/java/org/apache/maven/bridge/MavenRepositorySystem.java +@@ -710,6 +710,8 @@ public class MavenRepositorySystem + + private static final String EXTERNAL_WILDCARD = "external:*"; + ++ private static final String EXTERNAL_HTTP_WILDCARD = "external:http:*"; ++ + public static Mirror getMirror( ArtifactRepository repository, List mirrors ) + { + String repoId = repository.getId(); +@@ -782,6 +784,12 @@ public class MavenRepositorySystem + result = true; + // don't stop processing in case a future segment explicitly excludes this repo + } ++ // check for external:http:* ++ else if ( EXTERNAL_HTTP_WILDCARD.equals( repo ) && isExternalHttpRepo( originalRepository ) ) ++ { ++ result = true; ++ // don't stop processing in case a future segment explicitly excludes this repo ++ } + else if ( WILDCARD.equals( repo ) ) + { + result = true; +@@ -803,8 +811,34 @@ public class MavenRepositorySystem + try + { + URL url = new URL( originalRepository.getUrl() ); +- return !( url.getHost().equals( "localhost" ) || url.getHost().equals( "127.0.0.1" ) +- || url.getProtocol().equals( "file" ) ); ++ return !( isLocal( url.getHost() ) || url.getProtocol().equals( "file" ) ); ++ } ++ catch ( MalformedURLException e ) ++ { ++ // bad url just skip it here. It should have been validated already, but the wagon lookup will deal with it ++ return false; ++ } ++ } ++ ++ private static boolean isLocal( String host ) ++ { ++ return "localhost".equals( host ) || "127.0.0.1".equals( host ); ++ } ++ ++ /** ++ * Checks the URL to see if this repository refers to a non-localhost repository using HTTP. ++ * ++ * @param originalRepository ++ * @return true if external. ++ */ ++ static boolean isExternalHttpRepo( ArtifactRepository originalRepository ) ++ { ++ try ++ { ++ URL url = new URL( originalRepository.getUrl() ); ++ return ( "http".equalsIgnoreCase( url.getProtocol() ) || "dav".equalsIgnoreCase( url.getProtocol() ) ++ || "dav:http".equalsIgnoreCase( url.getProtocol() ) ++ || "dav+http".equalsIgnoreCase( url.getProtocol() ) ) && !isLocal( url.getHost() ); + } + catch ( MalformedURLException e ) + { diff -Nru maven-3.6.3/debian/patches/CVE-2021-26291-3.patch maven-3.6.3/debian/patches/CVE-2021-26291-3.patch --- maven-3.6.3/debian/patches/CVE-2021-26291-3.patch 1970-01-01 01:00:00.000000000 +0100 +++ maven-3.6.3/debian/patches/CVE-2021-26291-3.patch 2023-09-03 11:50:49.000000000 +0100 @@ -0,0 +1,37 @@ +From 907d53ad3264718f66ff15e1363d76b07dd0c05f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= +Date: Sat, 13 Mar 2021 19:03:43 +0100 +Subject: [PATCH] [MNG-7118] block HTTP repositories by default + +--- + apache-maven/src/conf/settings.xml | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- maven-3.6.3.orig/apache-maven/src/conf/settings.xml ++++ maven-3.6.3/apache-maven/src/conf/settings.xml +@@ -43,9 +43,9 @@ under the License. + | values (values used when the setting is not specified) are provided. + | + |--> +- ++ xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 http://maven.apache.org/xsd/settings-1.2.0.xsd"> + ++ ++ maven-default-http-blocker ++ external:http:* ++ Pseudo repository to mirror external repositories initially using HTTP. ++ http://0.0.0.0/ ++ true ++ + + +