trafodion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Birdsall <dave.birds...@esgyn.com>
Subject FW: PRIORITY Action required: Security review for non-https dependency urls
Date Tue, 21 May 2019 17:45:40 GMT
Hi,

Anyone want to take a look at our Trafodion build scripts?

Dave

-----Original Message-----
From: mjc@gsuite.cloud.apache.org <mjc@gsuite.cloud.apache.org> On Behalf Of Apache
Security Team
Sent: Tuesday, May 21, 2019 4:30 AM
To: Apache Security Team <security@apache.org>
Subject: PRIORITY Action required: Security review for non-https dependency urls

ASF Security received a report that a number of Apache projects have build dependencies downloaded
using insecure urls. The reporter states this could be used in conjunction with a man-in-the-middle
attack to compromise project builds.  The reporter claims this a significant issue and will
be making an announcement on June 10th and a number of press releases and industry reaction
is expected.

We have already contacted each of the projects the reporter detected.
However we have not run any scanning ourselves to identify any other instances hence this
email.

We request that you review any build scripts and configurations for insecure urls where appropriate
to your projects, fix them asap, and report back if you had to change anything to security@apache.org
by the 31st May 2019.

The most common finding was HTTP references to repos like maven.org in build files (Gradle,
Maven, SBT, or other tools).  Here is an example showing repositories being used with http
urls that should be changed to https:

https://github.com/apache/flink/blob/d1542e9561c6235feb902c9c6d781ba416b8f784/pom.xml#L1017-L1038

Note that searching for http:// might not be enough, look for http\:// too due to escaping.

Although this issue is public on June 10th, please make fixes to insecure urls immediately.
 Also note that some repos will be moving to blocking http transfers in June and later:

https://central.sonatype.org/articles/2019/Apr/30/http-access-to-repo1mavenorg-and-repomavenapacheorg-is-being-deprecated/

The reporter claims that a full audit of affected projects is required to ensure builds were
not made with tampered dependencies, and that CVE names should be given to each project, however
we are not requiring this -- we believe it’s more likely a third party repo could
be compromised with a malicious build than a MITM attack.   If you
disagree, let us know. Projects like Lucene do checksum whitelists of all their build dependencies,
and you may wish to consider that as a protection against threats beyond just MITM.

Best Regards,
Mark J Cox
VP, ASF Security Team
Mime
View raw message