oss-sec mailing list archives

Re: CVE request: Maven downloads JARs via HTTP

From: Martin Prpic <mprpic () redhat com>
Date: Mon, 02 Mar 2015 17:34:55 +0100

gremlin () gremlin ru writes:

On 2015-03-02 14:07:00 +0100, Martin Prpic wrote:

 > "Maven Central can now be accessed via HTTPS. I think the
 > default configuration should be switched to use that, rather
 > than the current unsecured HTTP transport."

Does it use any sort of package signing and signature verification?


Seeing as the patch only does s/http/https/, I would say, unfortunately, no.

https://git-wip-us.apache.org/repos/asf?p=maven.git;a=patch;h=92161918

-- 
Martin Prpič / Red Hat Product Security

Current thread:

CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
  - Re: CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
    - Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
    - Re: CVE request: Maven downloads JARs via HTTP Simon McVittie (Mar 02)
    - Re: validation on update gremlin (Mar 03)
    - Re: validation on update Kurt Seifried (Mar 03)
- Re: CVE request: Maven downloads JARs via HTTP cve-assign (Mar 03)