---------- Forwarded message ---------- From: Olivier Lamy <ol...@apache.org> Date: Sat, Feb 23, 2013 at 9:59 AM Subject: [SECURITY] CVE-2013-0253 Apache Maven 3.0.4 To: annou...@apache.org, annou...@maven.apache.org Cc: Maven Developers List <d...@maven.apache.org>
VE-2013-0253 Apache Maven Severity: Medium Vendor: The Apache Software Foundation Versions Affected: - Apache Maven 3.0.4 - Apache Maven Wagon 2.1, 2.2, 2.3 Description: Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has introduced a non-secure SSL mode by default. This mode disables all SSL certificate checking, including: host name verification , date validity, and certificate chain. Not validating the certificate introduces the possibility of a man-in-the-middle attack. All users are recommended to upgrade to Apache Maven 3.0.5 and Apache Maven Wagon 2.4. Credit This issue was identified by Graham Leggett -- The Apache Maven Team