ports/188638: [PATCH] devel/maven3 security fix

Tue Apr 15 02:40:01 UTC 2014

>Number:         188638
>Category:       ports
>Synopsis:       [PATCH] devel/maven3 security fix
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 15 02:40:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Patrick Abeya
>Release:        FreeBSD 10.0-RELEASE-p1
>Organization:
>Environment:
FreeBSD damon 10.0-RELEASE-p1 FreeBSD 10.0-RELEASE-p1 #0: Tue Apr  8 06:45:06 UTC 2014     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Fixes security issue CVE-2013-0253

CVE-2013-0253
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.

Also added pkg-plist to port
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: Makefile
===================================================================

--- Makefile	(revision 351302)
+++ Makefile	(working copy)
@@ -2,13 +2,13 @@
 # $FreeBSD$
 
 PORTNAME=	maven3
-DISTVERSION=	3.0.4
+DISTVERSION=	3.0.5
 CATEGORIES=	devel java
 MASTER_SITES=	${MASTER_SITE_APACHE}
 MASTER_SITE_SUBDIR=	maven/binaries
 DISTNAME=	apache-maven-${DISTVERSION}-bin
 
-MAINTAINER=	ports at FreeBSD.org
+MAINTAINER=	wombat at marsupial.org
 COMMENT=	Java project management tool, 3.x branch
 
 LICENSE=	APACHE20
@@ -22,10 +22,8 @@
 WRKSRC=		${WRKDIR}/apache-maven-${DISTVERSION}
 SUB_FILES=	mvn.sh
 SUB_LIST=	CLASSWORLDS_JAR=plexus-classworlds-2.4.jar
-INSTANCE_FILE=	030004-${PORTNAME}-${PORTVERSION}
+INSTANCE_FILE=	030005-${PORTNAME}-${PORTVERSION}
 INSTANCES_DIR=	etc/maven-wrapper/instances.d/
-PLIST_FILES=	${INSTANCES_DIR}/${INSTANCE_FILE}
-PORTDATA=	*
 
 post-extract:
 	${RM} -f ${WRKSRC}/bin/*.bat
Index: distinfo
===================================================================
--- distinfo	(revision 351302)
+++ distinfo	(working copy)
@@ -1,2 +1,2 @@
-SHA256 (apache-maven-3.0.4-bin.tar.gz) = d35a876034c08cb7e20ea2fbcf168bcad4dff5801abad82d48055517513faa2f
-SIZE (apache-maven-3.0.4-bin.tar.gz) = 4873043
+SHA256 (apache-maven-3.0.5-bin.tar.gz) = d98d766be9254222920c1d541efd466ae6502b82a39166c90d65ffd7ea357dd9
+SIZE (apache-maven-3.0.5-bin.tar.gz) = 5144659
Index: pkg-plist
===================================================================
--- pkg-plist	(revision 0)
+++ pkg-plist	(working copy)
@@ -0,0 +1,49 @@
+etc/maven-wrapper/instances.d/030005-maven3-3.0.5
+%%DATADIR%%/030005-maven3-3.0.5
+%%DATADIR%%/LICENSE.txt
+%%DATADIR%%/NOTICE.txt
+%%DATADIR%%/README.txt
+%%DATADIR%%/bin/m2.conf
+%%DATADIR%%/bin/mvn
+%%DATADIR%%/bin/mvnDebug
+%%DATADIR%%/bin/mvnyjp
+%%DATADIR%%/boot/plexus-classworlds-2.4.jar
+%%DATADIR%%/conf/settings.xml
+%%DATADIR%%/lib/aether-api-1.13.1.jar
+%%DATADIR%%/lib/aether-connector-wagon-1.13.1.jar
+%%DATADIR%%/lib/aether-impl-1.13.1.jar
+%%DATADIR%%/lib/aether-spi-1.13.1.jar
+%%DATADIR%%/lib/aether-util-1.13.1.jar
+%%DATADIR%%/lib/commons-cli-1.2.jar
+%%DATADIR%%/lib/ext/README.txt
+%%DATADIR%%/lib/maven-aether-provider-3.0.5.jar
+%%DATADIR%%/lib/maven-artifact-3.0.5.jar
+%%DATADIR%%/lib/maven-compat-3.0.5.jar
+%%DATADIR%%/lib/maven-core-3.0.5.jar
+%%DATADIR%%/lib/maven-embedder-3.0.5.jar
+%%DATADIR%%/lib/maven-model-3.0.5.jar
+%%DATADIR%%/lib/maven-model-builder-3.0.5.jar
+%%DATADIR%%/lib/maven-plugin-api-3.0.5.jar
+%%DATADIR%%/lib/maven-repository-metadata-3.0.5.jar
+%%DATADIR%%/lib/maven-settings-3.0.5.jar
+%%DATADIR%%/lib/maven-settings-builder-3.0.5.jar
+%%DATADIR%%/lib/plexus-cipher-1.7.jar
+%%DATADIR%%/lib/plexus-component-annotations-1.5.5.jar
+%%DATADIR%%/lib/plexus-interpolation-1.14.jar
+%%DATADIR%%/lib/plexus-sec-dispatcher-1.3.jar
+%%DATADIR%%/lib/plexus-utils-2.0.6.jar
+%%DATADIR%%/lib/sisu-guava-0.9.9.jar
+%%DATADIR%%/lib/sisu-guice-3.1.0-no_aop.jar
+%%DATADIR%%/lib/sisu-inject-bean-2.3.0.jar
+%%DATADIR%%/lib/sisu-inject-plexus-2.3.0.jar
+%%DATADIR%%/lib/wagon-file-2.4.jar
+%%DATADIR%%/lib/wagon-http-2.4-shaded.jar
+%%DATADIR%%/lib/wagon-provider-api-2.4.jar
+ at dirrmtry %%DATADIR%%/lib/ext
+ at dirrmtry %%DATADIR%%/lib
+ at dirrmtry %%DATADIR%%/conf
+ at dirrmtry %%DATADIR%%/boot
+ at dirrmtry %%DATADIR%%/bin
+ at dirrmtry %%DATADIR%%
+ at dirrmtry etc/maven-wrapper/instances.d
+ at dirrmtry etc/maven-wrapper

Property changes on: pkg-plist
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property


>Release-Note:
>Audit-Trail:
>Unformatted:
