ports/188638: [PATCH] devel/maven3 security fix
Patrick Abeya
wombat at marsupial.org
Tue Apr 15 02:40:01 UTC 2014
>Number: 188638
>Category: ports
>Synopsis: [PATCH] devel/maven3 security fix
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 15 02:40:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Patrick Abeya
>Release: FreeBSD 10.0-RELEASE-p1
>Organization:
>Environment:
FreeBSD damon 10.0-RELEASE-p1 FreeBSD 10.0-RELEASE-p1 #0: Tue Apr 8 06:45:06 UTC 2014 root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
Fixes security issue CVE-2013-0253
CVE-2013-0253
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.
Also added pkg-plist to port
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: Makefile
===================================================================
--- Makefile (revision 351302)
+++ Makefile (working copy)
@@ -2,13 +2,13 @@
# $FreeBSD$
PORTNAME= maven3
-DISTVERSION= 3.0.4
+DISTVERSION= 3.0.5
CATEGORIES= devel java
MASTER_SITES= ${MASTER_SITE_APACHE}
MASTER_SITE_SUBDIR= maven/binaries
DISTNAME= apache-maven-${DISTVERSION}-bin
-MAINTAINER= ports at FreeBSD.org
+MAINTAINER= wombat at marsupial.org
COMMENT= Java project management tool, 3.x branch
LICENSE= APACHE20
@@ -22,10 +22,8 @@
WRKSRC= ${WRKDIR}/apache-maven-${DISTVERSION}
SUB_FILES= mvn.sh
SUB_LIST= CLASSWORLDS_JAR=plexus-classworlds-2.4.jar
-INSTANCE_FILE= 030004-${PORTNAME}-${PORTVERSION}
+INSTANCE_FILE= 030005-${PORTNAME}-${PORTVERSION}
INSTANCES_DIR= etc/maven-wrapper/instances.d/
-PLIST_FILES= ${INSTANCES_DIR}/${INSTANCE_FILE}
-PORTDATA= *
post-extract:
${RM} -f ${WRKSRC}/bin/*.bat
Index: distinfo
===================================================================
--- distinfo (revision 351302)
+++ distinfo (working copy)
@@ -1,2 +1,2 @@
-SHA256 (apache-maven-3.0.4-bin.tar.gz) = d35a876034c08cb7e20ea2fbcf168bcad4dff5801abad82d48055517513faa2f
-SIZE (apache-maven-3.0.4-bin.tar.gz) = 4873043
+SHA256 (apache-maven-3.0.5-bin.tar.gz) = d98d766be9254222920c1d541efd466ae6502b82a39166c90d65ffd7ea357dd9
+SIZE (apache-maven-3.0.5-bin.tar.gz) = 5144659
Index: pkg-plist
===================================================================
--- pkg-plist (revision 0)
+++ pkg-plist (working copy)
@@ -0,0 +1,49 @@
+etc/maven-wrapper/instances.d/030005-maven3-3.0.5
+%%DATADIR%%/030005-maven3-3.0.5
+%%DATADIR%%/LICENSE.txt
+%%DATADIR%%/NOTICE.txt
+%%DATADIR%%/README.txt
+%%DATADIR%%/bin/m2.conf
+%%DATADIR%%/bin/mvn
+%%DATADIR%%/bin/mvnDebug
+%%DATADIR%%/bin/mvnyjp
+%%DATADIR%%/boot/plexus-classworlds-2.4.jar
+%%DATADIR%%/conf/settings.xml
+%%DATADIR%%/lib/aether-api-1.13.1.jar
+%%DATADIR%%/lib/aether-connector-wagon-1.13.1.jar
+%%DATADIR%%/lib/aether-impl-1.13.1.jar
+%%DATADIR%%/lib/aether-spi-1.13.1.jar
+%%DATADIR%%/lib/aether-util-1.13.1.jar
+%%DATADIR%%/lib/commons-cli-1.2.jar
+%%DATADIR%%/lib/ext/README.txt
+%%DATADIR%%/lib/maven-aether-provider-3.0.5.jar
+%%DATADIR%%/lib/maven-artifact-3.0.5.jar
+%%DATADIR%%/lib/maven-compat-3.0.5.jar
+%%DATADIR%%/lib/maven-core-3.0.5.jar
+%%DATADIR%%/lib/maven-embedder-3.0.5.jar
+%%DATADIR%%/lib/maven-model-3.0.5.jar
+%%DATADIR%%/lib/maven-model-builder-3.0.5.jar
+%%DATADIR%%/lib/maven-plugin-api-3.0.5.jar
+%%DATADIR%%/lib/maven-repository-metadata-3.0.5.jar
+%%DATADIR%%/lib/maven-settings-3.0.5.jar
+%%DATADIR%%/lib/maven-settings-builder-3.0.5.jar
+%%DATADIR%%/lib/plexus-cipher-1.7.jar
+%%DATADIR%%/lib/plexus-component-annotations-1.5.5.jar
+%%DATADIR%%/lib/plexus-interpolation-1.14.jar
+%%DATADIR%%/lib/plexus-sec-dispatcher-1.3.jar
+%%DATADIR%%/lib/plexus-utils-2.0.6.jar
+%%DATADIR%%/lib/sisu-guava-0.9.9.jar
+%%DATADIR%%/lib/sisu-guice-3.1.0-no_aop.jar
+%%DATADIR%%/lib/sisu-inject-bean-2.3.0.jar
+%%DATADIR%%/lib/sisu-inject-plexus-2.3.0.jar
+%%DATADIR%%/lib/wagon-file-2.4.jar
+%%DATADIR%%/lib/wagon-http-2.4-shaded.jar
+%%DATADIR%%/lib/wagon-provider-api-2.4.jar
+ at dirrmtry %%DATADIR%%/lib/ext
+ at dirrmtry %%DATADIR%%/lib
+ at dirrmtry %%DATADIR%%/conf
+ at dirrmtry %%DATADIR%%/boot
+ at dirrmtry %%DATADIR%%/bin
+ at dirrmtry %%DATADIR%%
+ at dirrmtry etc/maven-wrapper/instances.d
+ at dirrmtry etc/maven-wrapper
Property changes on: pkg-plist
___________________________________________________________________
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list