Bug#701991: maven3: CVE-2013-0253

Arnaud Fontaine arnau at debian.org
Fri Mar 15 03:49:44 UTC 2013

Control: reassign -1 src:wagon2
Control: tags -1 + patch


This security issue is actually  affecting libwagon2-java as, besides of
build improvements,  maven 3.0.5 only  bumps wagon2 version from  2.2 to
2.4  (should   maven  be   rebuilt  when  a   fixed  version   has  been
uploaded?). Therefore, I'm reassigning this issue to wagon2 instead.

According  to [0],  it  is recommended  to upgrade  to  Maven Wagon  2.4
however this  is not  really possible  as the  new version  requires (at
least,  when  testing by  changing  the  required  version, I  got  more
dependency  errors later  on) libmaven-parent-java  >= 23  which is  not
available in the archive.  Moreover, there are many unrelated changes so
the only  solution is  probably to  backport the  patches. The  issue on
Maven Wagon BTS seems to be:


And the patches (quite small indeed):


As I  don't know anything  about Maven (I'm  just hunting RC  bugs ;-)),
could you please confirm that these patches fix this issue?  I can later
NMU if it helps.

Also,  there seems  to  have  been several  other  bug fixes  (including
security-related  ones), not  sure  if they  are  really critical,  just
pointing out  what I have found  so far while checking  git history from
Maven Wagon 2.2 to 2.4:


Arnaud Fontaine

[0] http://maven.apache.org/security.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20130315/5219c50f/attachment.pgp>

More information about the pkg-java-maintainers mailing list