Bug#779622: wheezy-pu: package maven/3.0.4-3~deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to backport the latest Maven security fix to Wheezy, the security team
advised to upload it as a proposed update. Please find the debdiff below.
Thank you,
Emmanuel Bourg
diff -Nru maven-3.0.4/debian/changelog maven-3.0.4/debian/changelog
--- maven-3.0.4/debian/changelog 2012-02-06 22:42:07.000000000 +0100
+++ maven-3.0.4/debian/changelog 2015-03-03 08:53:27.000000000 +0100
@@ -1,3 +1,11 @@
+maven (3.0.4-3~deb7u1) stable; urgency=high
+
+ * Team upload.
+ * Use a secure connection by default to download artifacts
+ from the Maven Central repository (Closes: #779331)
+
+ -- Emmanuel Bourg <ebourg@apache.org> Fri, 27 Feb 2015 17:56:07 +0100
+
maven (3.0.4-3) unstable; urgency=low
* Use wagon 2.x to provide http/webdav access.
diff -Nru maven-3.0.4/debian/patches/secure-maven-central-access.diff maven-3.0.4/debian/patches/secure-maven-central-access.diff
--- maven-3.0.4/debian/patches/secure-maven-central-access.diff 1970-01-01 01:00:00.000000000 +0100
+++ maven-3.0.4/debian/patches/secure-maven-central-access.diff 2015-03-03 08:30:52.000000000 +0100
@@ -0,0 +1,33 @@
+Description: Download artifacts from Maven central using https by default
+Origin: backport, https://github.com/apache/maven/commit/9216191
+--- a/maven-core/src/main/java/org/apache/maven/repository/RepositorySystem.java
++++ b/maven-core/src/main/java/org/apache/maven/repository/RepositorySystem.java
+@@ -51,7 +51,7 @@
+
+ final String DEFAULT_REMOTE_REPO_ID = "central";
+
+- final String DEFAULT_REMOTE_REPO_URL = "http://repo.maven.apache.org/maven2";;
++ final String DEFAULT_REMOTE_REPO_URL = "https://repo.maven.apache.org/maven2";;
+
+ Artifact createArtifact( String groupId, String artifactId, String version, String packaging );
+
+--- a/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml
++++ b/maven-model-builder/src/main/resources/org/apache/maven/model/pom-4.0.0.xml
+@@ -27,7 +27,7 @@
+ <repository>
+ <id>central</id>
+ <name>Central Repository</name>
+- <url>http://repo.maven.apache.org/maven2</url>
++ <url>https://repo.maven.apache.org/maven2</url>
+ <layout>default</layout>
+ <snapshots>
+ <enabled>false</enabled>
+@@ -39,7 +39,7 @@
+ <pluginRepository>
+ <id>central</id>
+ <name>Central Repository</name>
+- <url>http://repo.maven.apache.org/maven2</url>
++ <url>https://repo.maven.apache.org/maven2</url>
+ <layout>default</layout>
+ <snapshots>
+ <enabled>false</enabled>
diff -Nru maven-3.0.4/debian/patches/series maven-3.0.4/debian/patches/series
--- maven-3.0.4/debian/patches/series 2012-02-06 22:42:07.000000000 +0100
+++ maven-3.0.4/debian/patches/series 2015-03-03 08:30:52.000000000 +0100
@@ -4,3 +4,4 @@
add_dependencies.diff
force_java15_compiler.diff
no_maven_assembly.diff
+secure-maven-central-access.diff
Reply to: