lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPoyBqRKkjQT4xc5d28GY6-Chf-kU-a_9GBSmCcFA7nzA8EVZA@mail.gmail.com>
Date: Sun, 24 Feb 2013 08:48:44 +0100
From: Olivier Lamy <olamy@...che.org>
To: security <security@...che.org>, full-disclosure@...ts.grok.org.uk,
  bugtraq@...urityfocus.com
Subject: Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4

CVE-2013-0253 Apache Maven

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3

 Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity,  and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.

All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.

 Credit
This issue was identified by Graham Leggett

--
The Apache Maven Team

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ