www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Lamy <ol...@apache.org>
Subject [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
Date Sat, 23 Feb 2013 14:59:11 GMT
VE-2013-0253 Apache Maven

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3

Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity,  and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.

All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.

This issue was identified by Graham Leggett

The Apache Maven Team

View raw message