[
https://issues.apache.org/jira/browse/MNG-6673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jonathan Leitschuh updated MNG-6673:
------------------------------------
Description:
Some of the most popular Java projects in the JVM ecosystem are vulnerable to a
MITM of their dependencies. This is something that build tools can help prevent.
Starting in the next release of Maven, Maven should begin warning users about
the use of HTTP to download/upload artifacts to/from artifact servers.
I believe that Maven/Gradle/SBT should require users to opt-out of the security
offered by using HTTPS to download/upload artifacts.
Here's a list of projects that were found to be vulnerable to this:
[https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
This issue will be updated later today to link to the public disclosure of this
industry-wide vulnerability.
The full description of this industry-wide vulnerability can be found here:
[Want to take over the Java ecosystem? All you need is a
MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e]
!mitm_build.jpeg!
was:
Some of the most popular Java projects in the JVM ecosystem are vulnerable to a
MITM of their dependencies. This is something that build tools can help prevent.
Starting in the next release of Maven, Maven should begin warning users about
the use of HTTP to download/upload artifacts to/from artifact servers.
I believe that Maven/Gradle/SBT should require users to opt-out of the security
offered by using HTTPS to download/upload artifacts.
Here's a list of projects that were found to be vulnerable to this:
[https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
This issue will be updated later today to link to the public disclosure of this
industry-wide vulnerability.
> Deprecate HTTP Download & Upload
> --------------------------------
>
> Key: MNG-6673
> URL: https://issues.apache.org/jira/browse/MNG-6673
> Project: Maven
> Issue Type: Improvement
> Components: Deployment
> Reporter: Jonathan Leitschuh
> Priority: Major
> Attachments: mitm_build.jpeg
>
>
> Some of the most popular Java projects in the JVM ecosystem are vulnerable to
> a MITM of their dependencies. This is something that build tools can help
> prevent.
> Starting in the next release of Maven, Maven should begin warning users about
> the use of HTTP to download/upload artifacts to/from artifact servers.
> I believe that Maven/Gradle/SBT should require users to opt-out of the
> security offered by using HTTPS to download/upload artifacts.
> Here's a list of projects that were found to be vulnerable to this:
> [https://docs.google.com/spreadsheets/d/1zemxj8QdIp0saqvwJx6Po1KnyEmJXl2KC_0j0SLd_2E/edit?usp=sharing]
> This issue will be updated later today to link to the public disclosure of
> this industry-wide vulnerability.
>
> The full description of this industry-wide vulnerability can be found here:
> [Want to take over the Java ecosystem? All you need is a
> MITM!|https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e]
> !mitm_build.jpeg!
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
