Bug#779331: maven downloads and runs completely unauthed jars via HTTP

2015-02-27 Thread Hans-Christoph Steiner
Package: maven Version: 3.0.4-3 Severity: grave Tags: security By default, maven versions before v3.2.3 downloads from Maven Central using plain HTTP and do not check any kind of signature on the code before running it. This is a very bad situation, making it quite easy for malicious actors take

Processed: set affects

2015-02-27 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org: > affects 779331 3.0.4-2 3.0.5-2 Bug #779331 [maven] maven downloads and runs completely unauthed jars via HTTP Added indication that 779331 affects 3.0.4-2 and 3.0.5-2 > End of message, stopping processing here. Please contact me if you need assis

Bug#779331: maven downloads and runs completely unauthed jars via HTTP

2015-02-27 Thread Emmanuel Bourg
This also affects the maven2 and maven2-core packages. __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and questions.

Processed: cloning 779331, reassign -1 to maven2, reassign -2 to maven2-core

2015-02-27 Thread Debian Bug Tracking System
Processing commands for cont...@bugs.debian.org: > clone 779331 -1 -2 Bug #779331 [maven] maven downloads and runs completely unauthed jars via HTTP Bug 779331 cloned as bugs 779337-779338 > reassign -1 maven2 Bug #779337 [maven] maven downloads and runs completely unauthed jars via HTTP Bug reass

Processing of maven2-core_2.2.1-17_amd64.changes

2015-02-27 Thread Debian FTP Masters
maven2-core_2.2.1-17_amd64.changes uploaded successfully to localhost along with the files: maven2-core_2.2.1-17.dsc maven2-core_2.2.1-17.debian.tar.xz libmaven2-core-java_2.2.1-17_all.deb libmaven2-core-java-doc_2.2.1-17_all.deb Greetings, Your Debian queue daemon (running on hos

maven2-core_2.2.1-17_amd64.changes ACCEPTED into unstable

2015-02-27 Thread Debian FTP Masters
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 11:46:36 +0100 Source: maven2-core Binary: libmaven2-core-java libmaven2-core-java-doc Architecture: source all Version: 2.2.1-17 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers

Bug#779338: marked as done (maven downloads and runs completely unauthed jars via HTTP)

2015-02-27 Thread Debian Bug Tracking System
Your message dated Fri, 27 Feb 2015 13:33:53 + with message-id and subject line Bug#779338: fixed in maven2-core 2.2.1-17 has caused the Debian Bug report #779338, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done. This means that you claim that the pro

Processing of maven2_2.2.1-22_amd64.changes

2015-02-27 Thread Debian FTP Masters
maven2_2.2.1-22_amd64.changes uploaded successfully to localhost along with the files: maven2_2.2.1-22.dsc maven2_2.2.1-22.debian.tar.xz maven2_2.2.1-22_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Jav

Bug#779344: java-gnome: failed to build when with parallel build

2015-02-27 Thread YunQiang Su
Package: java-gnome Version: 4.1.3-3 Index: java-gnome-4.1.3/Makefile === --- java-gnome-4.1.3.orig/Makefile 2013-05-05 09:08:23.0 +0800 +++ java-gnome-4.1.3/Makefile 2015-02-27 21:55:40.577816209 +0800 @@ -56,7 +56,7 @@ $(D

maven2_2.2.1-22_amd64.changes ACCEPTED into unstable

2015-02-27 Thread Debian FTP Masters
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 12:23:20 +0100 Source: maven2 Binary: maven2 Architecture: source all Version: 2.2.1-22 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Description:

Bug#779337: marked as done (maven downloads and runs completely unauthed jars via HTTP)

2015-02-27 Thread Debian Bug Tracking System
Your message dated Fri, 27 Feb 2015 15:20:04 + with message-id and subject line Bug#779337: fixed in maven2 2.2.1-22 has caused the Debian Bug report #779337, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done. This means that you claim that the problem

Bug#559767: severity of 559767 is important

2015-02-27 Thread raphael . jolly
On Mon, 10 Nov 2014 10:13:52 +0100 Emmanuel Bourg wrote: > Despite the similar error message the build fail for another reason on > amd64. The "libj3dcore-ogl.so: No such file or directory" message occurs > whenever a compilation error occurs in the native part of java3d. The > actual error is

Processing of maven_3.0.5-3_amd64.changes

2015-02-27 Thread Debian FTP Masters
maven_3.0.5-3_amd64.changes uploaded successfully to localhost along with the files: maven_3.0.5-3.dsc maven_3.0.5-3.debian.tar.xz maven_3.0.5-3_all.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) __ This is the maintainer address of Debian's Java team <

maven_3.0.5-3_amd64.changes ACCEPTED into unstable

2015-02-27 Thread Debian FTP Masters
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 27 Feb 2015 17:56:07 +0100 Source: maven Binary: maven Architecture: source all Version: 3.0.5-3 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers Changed-By: Emmanuel Bourg Description: ma

Bug#779331: marked as done (maven downloads and runs completely unauthed jars via HTTP)

2015-02-27 Thread Debian Bug Tracking System
Your message dated Fri, 27 Feb 2015 17:34:03 + with message-id and subject line Bug#779331: fixed in maven 3.0.5-3 has caused the Debian Bug report #779331, regarding maven downloads and runs completely unauthed jars via HTTP to be marked as done. This means that you claim that the problem ha