From owner-freebsd-ports-bugs@FreeBSD.ORG Tue Apr 15 02:40:01 2014 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 05399CAC for ; Tue, 15 Apr 2014 02:40:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D5FE41ACA for ; Tue, 15 Apr 2014 02:40:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3F2e0NS038648 for ; Tue, 15 Apr 2014 02:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3F2e0bK038647; Tue, 15 Apr 2014 02:40:00 GMT (envelope-from gnats) Resent-Date: Tue, 15 Apr 2014 02:40:00 GMT Resent-Message-Id: <201404150240.s3F2e0bK038647@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Patrick Abeya Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E011C9D for ; Tue, 15 Apr 2014 02:38:44 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4AD881AC3 for ; Tue, 15 Apr 2014 02:38:44 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3F2chRx071513 for ; Tue, 15 Apr 2014 02:38:43 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3F2chHG071501; Tue, 15 Apr 2014 02:38:43 GMT (envelope-from nobody) Message-Id: <201404150238.s3F2chHG071501@cgiserv.freebsd.org> Date: Tue, 15 Apr 2014 02:38:43 GMT From: Patrick Abeya To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: ports/188638: [PATCH] devel/maven3 security fix X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2014 02:40:01 -0000 >Number: 188638 >Category: ports >Synopsis: [PATCH] devel/maven3 security fix >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Apr 15 02:40:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Patrick Abeya >Release: FreeBSD 10.0-RELEASE-p1 >Organization: >Environment: FreeBSD damon 10.0-RELEASE-p1 FreeBSD 10.0-RELEASE-p1 #0: Tue Apr 8 06:45:06 UTC 2014 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 >Description: Fixes security issue CVE-2013-0253 CVE-2013-0253 The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack. Also added pkg-plist to port >How-To-Repeat: >Fix: Patch attached with submission follows: Index: Makefile =================================================================== --- Makefile (revision 351302) +++ Makefile (working copy) @@ -2,13 +2,13 @@ # $FreeBSD$ PORTNAME= maven3 -DISTVERSION= 3.0.4 +DISTVERSION= 3.0.5 CATEGORIES= devel java MASTER_SITES= ${MASTER_SITE_APACHE} MASTER_SITE_SUBDIR= maven/binaries DISTNAME= apache-maven-${DISTVERSION}-bin -MAINTAINER= ports@FreeBSD.org +MAINTAINER= wombat@marsupial.org COMMENT= Java project management tool, 3.x branch LICENSE= APACHE20 @@ -22,10 +22,8 @@ WRKSRC= ${WRKDIR}/apache-maven-${DISTVERSION} SUB_FILES= mvn.sh SUB_LIST= CLASSWORLDS_JAR=plexus-classworlds-2.4.jar -INSTANCE_FILE= 030004-${PORTNAME}-${PORTVERSION} +INSTANCE_FILE= 030005-${PORTNAME}-${PORTVERSION} INSTANCES_DIR= etc/maven-wrapper/instances.d/ -PLIST_FILES= ${INSTANCES_DIR}/${INSTANCE_FILE} -PORTDATA= * post-extract: ${RM} -f ${WRKSRC}/bin/*.bat Index: distinfo =================================================================== --- distinfo (revision 351302) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (apache-maven-3.0.4-bin.tar.gz) = d35a876034c08cb7e20ea2fbcf168bcad4dff5801abad82d48055517513faa2f -SIZE (apache-maven-3.0.4-bin.tar.gz) = 4873043 +SHA256 (apache-maven-3.0.5-bin.tar.gz) = d98d766be9254222920c1d541efd466ae6502b82a39166c90d65ffd7ea357dd9 +SIZE (apache-maven-3.0.5-bin.tar.gz) = 5144659 Index: pkg-plist =================================================================== --- pkg-plist (revision 0) +++ pkg-plist (working copy) @@ -0,0 +1,49 @@ +etc/maven-wrapper/instances.d/030005-maven3-3.0.5 +%%DATADIR%%/030005-maven3-3.0.5 +%%DATADIR%%/LICENSE.txt +%%DATADIR%%/NOTICE.txt +%%DATADIR%%/README.txt +%%DATADIR%%/bin/m2.conf +%%DATADIR%%/bin/mvn +%%DATADIR%%/bin/mvnDebug +%%DATADIR%%/bin/mvnyjp +%%DATADIR%%/boot/plexus-classworlds-2.4.jar +%%DATADIR%%/conf/settings.xml +%%DATADIR%%/lib/aether-api-1.13.1.jar +%%DATADIR%%/lib/aether-connector-wagon-1.13.1.jar +%%DATADIR%%/lib/aether-impl-1.13.1.jar +%%DATADIR%%/lib/aether-spi-1.13.1.jar +%%DATADIR%%/lib/aether-util-1.13.1.jar +%%DATADIR%%/lib/commons-cli-1.2.jar +%%DATADIR%%/lib/ext/README.txt +%%DATADIR%%/lib/maven-aether-provider-3.0.5.jar +%%DATADIR%%/lib/maven-artifact-3.0.5.jar +%%DATADIR%%/lib/maven-compat-3.0.5.jar +%%DATADIR%%/lib/maven-core-3.0.5.jar +%%DATADIR%%/lib/maven-embedder-3.0.5.jar +%%DATADIR%%/lib/maven-model-3.0.5.jar +%%DATADIR%%/lib/maven-model-builder-3.0.5.jar +%%DATADIR%%/lib/maven-plugin-api-3.0.5.jar +%%DATADIR%%/lib/maven-repository-metadata-3.0.5.jar +%%DATADIR%%/lib/maven-settings-3.0.5.jar +%%DATADIR%%/lib/maven-settings-builder-3.0.5.jar +%%DATADIR%%/lib/plexus-cipher-1.7.jar +%%DATADIR%%/lib/plexus-component-annotations-1.5.5.jar +%%DATADIR%%/lib/plexus-interpolation-1.14.jar +%%DATADIR%%/lib/plexus-sec-dispatcher-1.3.jar +%%DATADIR%%/lib/plexus-utils-2.0.6.jar +%%DATADIR%%/lib/sisu-guava-0.9.9.jar +%%DATADIR%%/lib/sisu-guice-3.1.0-no_aop.jar +%%DATADIR%%/lib/sisu-inject-bean-2.3.0.jar +%%DATADIR%%/lib/sisu-inject-plexus-2.3.0.jar +%%DATADIR%%/lib/wagon-file-2.4.jar +%%DATADIR%%/lib/wagon-http-2.4-shaded.jar +%%DATADIR%%/lib/wagon-provider-api-2.4.jar +@dirrmtry %%DATADIR%%/lib/ext +@dirrmtry %%DATADIR%%/lib +@dirrmtry %%DATADIR%%/conf +@dirrmtry %%DATADIR%%/boot +@dirrmtry %%DATADIR%%/bin +@dirrmtry %%DATADIR%% +@dirrmtry etc/maven-wrapper/instances.d +@dirrmtry etc/maven-wrapper Property changes on: pkg-plist ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property >Release-Note: >Audit-Trail: >Unformatted: