<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] maven 3.5.4 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13273">13273</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] maven 3.5.4 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2021-26291, CVE-2021-26719,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package maven version 3.5.4
INFO (CVEs are): maven 3.5.4
cves found
CVE-2021-26291
Desc: Apache Maven will follow repositories that are defined in a dependency’s
Project Object Model (pom) which may be surprising to some users, resulting in
potential risk if a malicious actor takes over that repository or is able to
insert themselves into a position to pretend to be that repository. Maven is
changing the default behavior in 3.8.1+ to no longer follow http (non-SSL)
repository references by default. More details available in the referenced
urls. If you are currently using a repository manager to govern the
repositories used by your builds, you are unaffected by the risks present in
the legacy behavior, and are unaffected by this vulnerability and change to
default behavior. See this link for more information about repository
management: <a href="https://maven.apache.org/repository-management.html">https://maven.apache.org/repository-management.html</a>
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-26291">https://nvd.nist.gov/vuln/detail/CVE-2021-26291</a>
Severity: CRITICAL
CVE-2021-26719
Desc: A directory traversal issue was discovered in Gradle
gradle-enterprise-test-distribution-agent before 1.3.2,
test-distribution-gradle-plugin before 1.3.2, and
gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain
credentials) can perform a registration step such that crafted TAR archives
lead to extraction of files into arbitrary filesystem locations.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-26719">https://nvd.nist.gov/vuln/detail/CVE-2021-26719</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>