Bug#779331: maven downloads and runs completely unauthed jars via HTTP
Hans-Christoph Steiner
hans at eds.org
Fri Feb 27 10:02:03 UTC 2015
Package: maven
Version: 3.0.4-3
Severity: grave
Tags: security
By default, maven versions before v3.2.3 downloads from Maven Central using
plain HTTP and do not check any kind of signature on the code before running
it. This is a very bad situation, making it quite easy for malicious actors
take over the machines where maven is used:
http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/
Luckily, there is a simple step that greatly improves the situation. HTTPS is
now fully supported on maven central, so Debian's maven should also default to
HTTPS. A user can set this in ~/.m2/settings.xml, and it works fine with the
Debian version of maven. But this really needs to be the default, and it
should just be a matter of adding this config information to
/etc/maven/settings.xml
http://central.sonatype.org/pages/consumers.html#apache-maven
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150227/fb9a4a72/attachment.sig>
More information about the pkg-java-maintainers
mailing list