devel/maven: update to 3.8.1

This is not just a bugfix as it contains three features that cause a change of default behavior (external HTTP insecure URLs are now blocked by default): your builds may fail when using this new Maven release, if you use now blocked repositories. Please check and eventually fix before upgrading. Changes http://maven.apache.org/docs/3.8.1/release-notes.html PR: 255161 Approved by: Jonathan Chen <jonc@chen.org.nz> (maintainer) Security: CVE-2021-26291 CVE-2020-13956
author: Kevin Bowling <kbowling@FreeBSD.org> 2021-04-19 04:05:30 +0000
committer: Kevin Bowling <kbowling@FreeBSD.org> 2021-04-19 04:11:34 +0000
commit: 887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 (patch)
tree: 7cdc9cadeae0fbd5ceef30390985ac9c3f7581a8
parent: 68457b801edd40093c0b8b624c7423868b5db95a (diff)
4 files changed, 80 insertions, 13 deletions
diff --git a/devel/maven/Makefile b/devel/maven/Makefile
index 42cac2993d5e..d2d77f4a1028 100644
--- a/devel/maven/Makefile
+++ b/devel/maven/Makefile
@@ -1,7 +1,7 @@
 # Created by: JonathanChen <jonc@chen.org.nz>
 
 PORTNAME=	maven
-DISTVERSION=	3.6.3
+DISTVERSION=	3.8.1
 CATEGORIES=	devel java
 MASTER_SITES=	APACHE/maven/maven-3/${DISTVERSION}/binaries
 DISTNAME=	apache-maven-${DISTVERSION}-bin
diff --git a/devel/maven/distinfo b/devel/maven/distinfo
index 4912d96568fe..57ad8a2cf1ef 100644
--- a/devel/maven/distinfo
+++ b/devel/maven/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1575665365
-SHA256 (apache-maven-3.6.3-bin.tar.gz) = 26ad91d751b3a9a53087aefa743f4e16a17741d3915b219cf74112bf87a438c5
-SIZE (apache-maven-3.6.3-bin.tar.gz) = 9506321
+TIMESTAMP = 1618695108
+SHA256 (apache-maven-3.8.1-bin.tar.gz) = b98a1905eb554d07427b2e5509ff09bd53e2f1dd7a0afa38384968b113abef02
+SIZE (apache-maven-3.8.1-bin.tar.gz) = 9536838
diff --git a/devel/maven/pkg-plist b/devel/maven/pkg-plist
index 4f40a59ef93a..3988d3cd5e82 100644
--- a/devel/maven/pkg-plist
+++ b/devel/maven/pkg-plist
@@ -45,13 +45,13 @@
 %%DATADIR%%/lib/maven-model-builder-%%PORTVERSION%%.jar
 %%DATADIR%%/lib/maven-plugin-api-%%PORTVERSION%%.jar
 %%DATADIR%%/lib/maven-repository-metadata-%%PORTVERSION%%.jar
-%%DATADIR%%/lib/maven-resolver-api-1.4.1.jar
-%%DATADIR%%/lib/maven-resolver-connector-basic-1.4.1.jar
-%%DATADIR%%/lib/maven-resolver-impl-1.4.1.jar
+%%DATADIR%%/lib/maven-resolver-api-1.6.2.jar
+%%DATADIR%%/lib/maven-resolver-connector-basic-1.6.2.jar
+%%DATADIR%%/lib/maven-resolver-impl-1.6.2.jar
 %%DATADIR%%/lib/maven-resolver-provider-%%PORTVERSION%%.jar
-%%DATADIR%%/lib/maven-resolver-spi-1.4.1.jar
-%%DATADIR%%/lib/maven-resolver-transport-wagon-1.4.1.jar
-%%DATADIR%%/lib/maven-resolver-util-1.4.1.jar
+%%DATADIR%%/lib/maven-resolver-spi-1.6.2.jar
+%%DATADIR%%/lib/maven-resolver-transport-wagon-1.6.2.jar
+%%DATADIR%%/lib/maven-resolver-util-1.6.2.jar
 %%DATADIR%%/lib/maven-settings-%%PORTVERSION%%.jar
 %%DATADIR%%/lib/maven-settings-builder-%%PORTVERSION%%.jar
 %%DATADIR%%/lib/maven-shared-utils-3.2.1.jar
@@ -72,7 +72,7 @@
 %%DATADIR%%/lib/plexus-utils.license
 %%DATADIR%%/lib/slf4j-api-1.7.29.jar
 %%DATADIR%%/lib/slf4j-api.license
-%%DATADIR%%/lib/wagon-file-3.3.4.jar
-%%DATADIR%%/lib/wagon-http-3.3.4-shaded.jar
-%%DATADIR%%/lib/wagon-provider-api-3.3.4.jar
+%%DATADIR%%/lib/wagon-file-3.4.3.jar
+%%DATADIR%%/lib/wagon-http-3.4.3-shaded.jar
+%%DATADIR%%/lib/wagon-provider-api-3.4.3.jar
 %%DATADIR%%/maven-%%PORTVERSION%%
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 3359ddc18d34..97c9911ca975 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -76,6 +76,73 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="20006b5f-a0bc-11eb-8ae6-fc4dd43e2b6a">
+    <topic>Apache Maven -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>maven</name>
+	<range><lt>3.8.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The Apache Maven project reports:</p>
+	<blockquote cite="http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291">
+	  <p>We received a report from Jonathan Leitschuh about a vulnerability
+	    of custom repositories in dependency POMs. We've split this up
+	    into three separate issues:</p>
+	  <ul>
+	    <li>Possible Man-In-The-Middle-Attack due to custom repositories
+	    using HTTP.
+
+	    More and more repositories use HTTPS nowadays, but this
+	    hasn't always been the case. This means that Maven Central contains
+	    POMs with custom repositories that refer to a URL over HTTP. This
+	    makes downloads via such repository a target for a MITM attack. At
+	    the same time, developers are probably not aware that for some
+	    downloads an insecure URL is being used. Because uploaded POMs to
+	    Maven Central are immutable, a change for Maven was required. To
+	    solve this, we extended the mirror configuration with blocked
+	    parameter, and we added a new external:http:* mirror selector (like
+	    existing external:*), meaning "any external URL using HTTP".
+
+	    The decision was made to block such external HTTP repositories by default:
+	    this is done by providing a mirror in the conf/settings.xml blocking
+	    insecure HTTP external URLs.</li>
+	    <li>Possible Domain Hijacking due to custom repositories using abandoned
+	    domains
+
+	    Sonatype has analyzed which domains were abandoned and has claimed these
+	    domains.</li>
+	    <li>Possible hijacking of downloads by redirecting to custom repositories
+
+	    This one was the hardest to analyze and explain. The short story is:
+	    you're safe, dependencies are only downloaded from repositories within
+	    their context. So there are two main questions: what is the context and
+	    what is the order? The order is described on the Repository Order page.
+	    The first group of repositories are defined in the settings.xml (both user
+	    and global). The second group of repositories are based on inheritence,
+	    with ultimately the super POM containing the URL to Maven Central. The
+	    third group is the most complex one but is important to understand the
+	    term context: repositories from the effective POMs from the dependency
+	    path to the artifact. So if a dependency was defined by another dependency
+	    or by a Maven project, it will also include their repositories. In the end
+	    this is not a bug, but a design feature.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291</url>
+	<cvename>CVE-2021-26291</cvename>
+	<cvename>CVE-2020-13956</cvename>
+    </references>
+    <dates>
+      <discovery>2021-04-04</discovery>
+      <entry>2021-04-19</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="093a6baf-9f99-11eb-b150-000c292ee6b8">
     <topic>Consul -- Multiple vulnerabilities</topic>
     <affects>
author	Kevin Bowling <kbowling@FreeBSD.org>	2021-04-19 04:05:30 +0000
committer	Kevin Bowling <kbowling@FreeBSD.org>	2021-04-19 04:11:34 +0000
commit	887cfadcdf5e7ce9a33ef83ee6ee7b63ff855830 (patch)
tree	7cdc9cadeae0fbd5ceef30390985ac9c3f7581a8
parent	68457b801edd40093c0b8b624c7423868b5db95a (diff)