Date: Mon, 2 Mar 2015 20:26:45 +0300 From: gremlin@...mlin.ru To: oss-security@...ts.openwall.com Subject: Re: CVE request: Maven downloads JARs via HTTP On 2015-03-02 17:34:55 +0100, Martin Prpic wrote: >>> "Maven Central can now be accessed via HTTPS. I think the >>> default configuration should be switched to use that, rather >>> than the current unsecured HTTP transport." >> Does it use any sort of package signing and signature >> verification? > Seeing as the patch only does s/http/https/, Obviously, that doesn't really help. > I would say, unfortunately, no. Well... it seems like we have yet another class of vulnerabilities fully inducted by stupidity: "%s lacks integrity check on update". -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ