Fixes security issue CVE-2013-0253
The default configuration of Apache Maven 3.0.4, when using Maven Wagon 2.1, disables SSL certificate checks, which allows remote attackers to spoof servers via a man-in-the-middle (MITM) attack.
Also added pkg-plist to port
Fix: Patch attached with submission follows:
cool, you picked up maintenance too!
There are leftovers:
=== Checking filesystem state
list of files present before this port was installed but missing after it was deinstalled)
Can you figure out what's wrong and tell me how to fix it?
A "delta" patch or hand-edit instruction is fine; I'll just run it through redports again.
Sure I'll look into that this evening. I think I can guess why the 2 first lines appear, but not sure about
Isn't that expected if the dependent jdk is at a newer version too? Sorry, I'm new to this port business. :-)
the deleting openjdk line is out of context, I should not have included it.
As part of the file system sanity checks, it:
1) Checks before and after the package was installed and deinstalled
2) checks before and after all the dependencies are installed and deinstalled
For 2) that's the basic clean filesystem. At the end of 2) when everything is deinstalled, the resulting filesystem should be the same as when it started.
This failed the first check and the deleting openjdk6 line was part of the second step. Just look at the entire log and it will make sense.
Created attachment 143661 [details]
Maven 3 patch
Removed the unnecessary maven-wrapper removal
OK, it was what I thought it was, phew! Sorry about that and thanks for spotting it. I've added a new complete diff file.
A commit references this bug:
Date: Wed Jun 11 08:09:33 UTC 2014
New revision: 357428
devel/maven3: Upgrade version 3.0.4 => 3.0.5 (Fixes security issue)
* This fixes CVE-2013-0253
* Assign maintenance to submitter
* Use pkg-plist instead of file list
* This passes 8x redports
Submitted by: wombat