Bugzilla – Bug 1188529
VUL-0: CVE-2021-26291: maven: Block repositories using http by default
Last modified: 2022-07-25 08:20:46 UTC
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior.
SUSE:SLE-15-SP2:Update is affected.
This is a borderline case, since the old behavior was publicly documented and customers of stable distros might be surprised by the changed behavior. I'd still apply the patches but I appreciate a second opinion.
We currently have maven 3.8.4 in Tumbleweed.