[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4

To: security <security@xxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Fwd: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4
From: Olivier Lamy <olamy@xxxxxxxxxx>
Date: Sun, 24 Feb 2013 08:48:44 +0100

CVE-2013-0253 Apache Maven

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Maven 3.0.4
- Apache Maven Wagon 2.1, 2.2, 2.3

 Description:
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure
SSL mode by default. This mode disables all SSL certificate checking,
including: host name verification , date validity,  and certificate
chain. Not validating the certificate introduces the possibility of a
man-in-the-middle attack.

All users are recommended to upgrade to Apache Maven 3.0.5 and Apache
Maven Wagon 2.4.

 Credit
This issue was identified by Graham Leggett

--
The Apache Maven Team

Prev by Date: [IA48] Photodex ProShow Producer v5.0.3297 Insecure Library Loading Vulnerability
Next by Date: CONFidence 2013 - Call for Papers - 28-29.05.2013 Krakow, Poland
Previous by thread: [IA48] Photodex ProShow Producer v5.0.3297 Insecure Library Loading Vulnerability
Next by thread: CONFidence 2013 - Call for Papers - 28-29.05.2013 Krakow, Poland
Index(es):
- Date
- Thread