Ubuntu
maven package

Upstream security vulnerability in 3.0.4

Bug #1136109 reported by Edward Sargisson
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
maven (Debian)
Fix Released
Unknown
maven (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Apache Maven is now at 3.0.5 because of a security vulnerability allowing man-in-the-middle attacks.

http://maven.apache.org/docs/3.0.5/release-notes.html
http://maven.apache.org/security.html

Description: Ubuntu 12.04.2 LTS
Release: 12.04

maven:
  Installed: 3.0.4-2
  Candidate: 3.0.4-2
  Version table:
 *** 3.0.4-2 0
        500 http://ca.archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages
        100 /var/lib/dpkg/status

CVE References

Edward Sargisson (esarge)
information type: Private Security → Public Security
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in maven (Ubuntu):
status: New → Incomplete
Changed in maven (Debian):
status: Unknown → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in maven (Debian):
status: Incomplete → New
Bug Watch Updater (bug-watch-updater)
Changed in maven (Debian):
status: New → Fix Released
Revision history for this message
Edward Sargisson (esarge) wrote :

Forgive me, is there any action planned on this defect? It's been fixed upstream for a week now and it is a security issue.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Edward, no one has announced here that an update is in progress. If you wanted to prepare one, it seems unlikely that you would duplicate someone else's work. The link in comment #1 provides some information on how to prepare updates.

Thanks

Revision history for this message
Edward Sargisson (esarge) wrote :

I looked into this and sadly, I don't think I can justify spending my employer's time one this so I shall have to decline.

Revision history for this message
Brad Hards (bradh) wrote :

Upstream fixed the problem 6 months ago. Can this be released in ubuntu, please?

Revision history for this message
Andreas Schildbach (schildbach) wrote :

Trusty Tahr has Maven 3.0.5. Maybe it's easier to upgrade your distro.

Revision history for this message
Christopher Currie (codemonkey-n) wrote :

This may not actually be an issue for 12.04. From the debian-java list:

> If precise doesn't have libwagon2-java you are probably safe. The
> description of CVE-2013-0253 states that wagon was vulnerable starting
> with the version 2.1. And looking at the patch for wagon 2 [2], none of
> the code modified exists in wagon 1.

[1] https://lists.debian.org/debian-java/2015/02/msg00003.html
[2] https://sources.debian.net/src/wagon2/2.2-3%2Bnmu1/debian/patches/cve-2013-0253.patch/

Revision history for this message
Emmanuel Bourg (ebourg) wrote :

Fixed in Trusty. Precise wasn't affected.

Changed in maven (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.