oss-sec mailing list archives
Re: CVE request: Maven downloads JARs via HTTP
From: Martin Prpic <mprpic () redhat com>
Date: Mon, 02 Mar 2015 17:34:55 +0100
gremlin () gremlin ru writes:
On 2015-03-02 14:07:00 +0100, Martin Prpic wrote: > "Maven Central can now be accessed via HTTPS. I think the > default configuration should be switched to use that, rather > than the current unsecured HTTP transport." Does it use any sort of package signing and signature verification?
Seeing as the patch only does s/http/https/, I would say, unfortunately, no. https://git-wip-us.apache.org/repos/asf?p=maven.git;a=patch;h=92161918 -- Martin Prpič / Red Hat Product Security
Current thread:
- CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP Simon McVittie (Mar 02)
- Re: validation on update gremlin (Mar 03)
- Re: validation on update Kurt Seifried (Mar 03)
- Re: CVE request: Maven downloads JARs via HTTP Martin Prpic (Mar 02)
- Re: CVE request: Maven downloads JARs via HTTP gremlin (Mar 02)