From dev-return-46020-apmail-ignite-dev-archive=ignite.apache.org@ignite.apache.org Tue May 21 14:17:42 2019 Return-Path: X-Original-To: apmail-ignite-dev-archive@minotaur.apache.org Delivered-To: apmail-ignite-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by minotaur.apache.org (Postfix) with SMTP id E81351897D for ; Tue, 21 May 2019 14:17:41 +0000 (UTC) Received: (qmail 3965 invoked by uid 500); 21 May 2019 14:17:40 -0000 Delivered-To: apmail-ignite-dev-archive@ignite.apache.org Received: (qmail 3940 invoked by uid 500); 21 May 2019 14:17:40 -0000 Mailing-List: contact dev-help@ignite.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ignite.apache.org Delivered-To: mailing list dev@ignite.apache.org Received: (qmail 3925 invoked by uid 99); 21 May 2019 14:17:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 May 2019 14:17:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id ECDB4C23E6 for ; Tue, 21 May 2019 14:17:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.801 X-Spam-Level: * X-Spam-Status: No, score=1.801 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Zzly8wIOg9dH for ; Tue, 21 May 2019 14:17:32 +0000 (UTC) Received: from mail-ua1-f48.google.com (mail-ua1-f48.google.com [209.85.222.48]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C5C3C612D1 for ; Tue, 21 May 2019 14:17:30 +0000 (UTC) Received: by mail-ua1-f48.google.com with SMTP id t18so6673548uar.4 for ; Tue, 21 May 2019 07:17:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/luEb3O0K+ifeg5w+MIkec9B6sK/Oxcn9LZndAVMa2g=; b=dzsf4X+lgxyQToq/9NuqqMrS6nfqOB94DXSKnRH/kFhl4ty5R7RTE7LZIHl99SJ9Eh uzyUmyTIpKG8KKIGqYGvZ8mli63tTJpYgXiqhWN+C6iyqJy0NoPxekbIa0CEk1TkxpXP vgTyIctp4Ck+SKbQ3j/LPQzNzZY/mOIQoIIjy+wARp68MUXRduIazHGfi7M5fU1wcp0Q pfGjp+0DKWmyoO8+MujyIAWMANPMGowkQQs6p4PbJ0/cE/etb+3bFR8Tfjl/ODW3o1pC revyTyPGS+Q2DjeqCBidkh7HKvVqb9CBRNlZE6WclTX2uAXty59JusIDfmysSml8FBIC OoWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/luEb3O0K+ifeg5w+MIkec9B6sK/Oxcn9LZndAVMa2g=; b=VFZ6xxufKaYTEJGH/Jrq+JYocBoYOusxTj79BizPokPHItWsiLNs0byNh48uk6igRY nJdewSXoTRyPiOfHZiKKkEWM3lMRTRvSQkvD5ZoGgBCNdQyMoTI4Uy33Dx+kEhSBYpJK xrzUPV0nDAheOfXwgdPZiGtjwpG0uGm/xv1vTBSS40Cwp6Ua1+H5IL0QSCRE/n2Y9+N4 kt3bw0ovkiETCBt5WsTp+Y70qH8ybhNRZfJdE6zPcXFQMg/wpSb4VMr4JSL5ln1yng4j v/wzvnHeKny1szlXNQl1AGIDO1hnO/OiFo5crQ8WeeIipz7MoV87Vo5+Aigaw0e3U7CQ C6sA== X-Gm-Message-State: APjAAAVV7MPzuFBwyx+t3doFFKUdEKUMbDGzes7bGqoML12S1HOQCpiN WHK9n05FL3vZcy1mlg105n98XPLybDbzEJiZnzRH8ek4 X-Google-Smtp-Source: APXvYqx7r6Xp6+CYayYf6Er1y6DtKXr5io5t6YvAEM9SlM3N+/XtLQzQBEPAex4XdfQ4Hwsc2aGtioVWsfEEroC5wnE= X-Received: by 2002:ab0:20b3:: with SMTP id y19mr40048847ual.74.1558448249832; Tue, 21 May 2019 07:17:29 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Ilya Kasnacheev Date: Tue, 21 May 2019 17:17:18 +0300 Message-ID: Subject: Re: PRIORITY Action required: Security review for non-https dependency urls To: dev@ignite.apache.org Content-Type: multipart/alternative; boundary="0000000000005508d1058966823a" --0000000000005508d1058966823a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! I think we still have a http dependency on H2: false true always ignore h2database.com Snapshot repository on h2database.com http://h2database.com/m2-repo default WDYT? Regards, --=20 Ilya Kasnacheev =D0=B2=D1=82, 21 =D0=BC=D0=B0=D1=8F 2019 =D0=B3. =D0=B2 17:08, Denis Magda = : > Igniters, > > Could anybody confirm we don=E2=80=99t have any issues with that? > > Denis > > ---------- Forwarded message ---------- > From: *Apache Security Team* > Date: Tuesday, May 21, 2019 > Subject: PRIORITY Action required: Security review for non-https dependen= cy > urls > To: Apache Security Team > > > ASF Security received a report that a number of Apache projects have > build dependencies downloaded using insecure urls. The reporter states > this could be used in conjunction with a man-in-the-middle attack to > compromise project builds. The reporter claims this a significant > issue and will be making an announcement on June 10th and a number of > press releases and industry reaction is expected. > > We have already contacted each of the projects the reporter detected. > However we have not run any scanning ourselves to identify any other > instances hence this email. > > We request that you review any build scripts and configurations for > insecure urls where appropriate to your projects, fix them asap, and > report back if you had to change anything to security@apache.org by > the 31st May 2019. > > The most common finding was HTTP references to repos like maven.org in > build files (Gradle, Maven, SBT, or other tools). Here is an example > showing repositories being used with http urls that should be changed > to https: > > https://github.com/apache/flink/blob/d1542e9561c6235feb902c9c6d781b > a416b8f784/pom.xml#L1017-L1038 > > > Note that searching for http:// might not be enough, look for http\:// > too due to escaping. > > Although this issue is public on June 10th, please make fixes to > insecure urls immediately. Also note that some repos will be moving > to blocking http transfers in June and later: > > https://central.sonatype.org/articles/2019/Apr/30/http- > access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/ > > The reporter claims that a full audit of affected projects is required > to ensure builds were not made with tampered dependencies, and that > CVE names should be given to each project, however we are not > requiring this -- we believe it=E2=80=99s more likely a third party repo = could > be compromised with a malicious build than a MITM attack. If you > disagree, let us know. Projects like Lucene do checksum whitelists of > all their build dependencies, and you may wish to consider that as a > protection against threats beyond just MITM. > > Best Regards, > Mark J Cox > VP, ASF Security Team > > > > -- > - > Denis > --0000000000005508d1058966823a--