Bug#779331: maven downloads and runs completely unauthed jars via HTTP

Hans-Christoph Steiner hans at eds.org
Fri Feb 27 10:02:03 UTC 2015


Package: maven
Version: 3.0.4-3
Severity: grave
Tags: security

By default, maven versions before v3.2.3 downloads from Maven Central using
plain HTTP and do not check any kind of signature on the code before running
it.  This is a very bad situation, making it quite easy for malicious actors
take over the machines where maven is used:

http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/

Luckily, there is a simple step that greatly improves the situation.  HTTPS is
now fully supported on maven central, so Debian's maven should also default to
HTTPS.  A user can set this in ~/.m2/settings.xml, and it works fine with the
Debian version of maven.  But this really needs to be the default, and it
should just be a matter of adding this config information to
/etc/maven/settings.xml

http://central.sonatype.org/pages/consumers.html#apache-maven


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150227/fb9a4a72/attachment.sig>


More information about the pkg-java-maintainers mailing list