Trending Topics This Week

Here is what people are talking about this week in the world of free and open source software:


Key Security, Maintenance, and Features Releases

Security Updates

Apache Maven 3.8.1
Possible Man-In-The-Middle-Attack due to custom repositories using HTTP
More and more repositories use HTTPS nowadays, but this hasn’t always been the case. This means that Maven Central contains POMs with custom repositories that refer to a URL over HTTP. This makes downloads via such repository a target for a MITM attack. At the same time, developers are probably not aware that for some downloads an insecure URL is being used. Because uploaded POMs to Maven Central are immutable, a change for Maven was required. To solve this, we extended the mirror configuration with <blocked> parameter, and we added a new external:http:* mirror selector (like existing external:*), meaning “any external URL using HTTP”.
The decision was made to block such external HTTP repositories by default: this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs.
Possible Domain Hijacking due to custom repositories using abandoned domains
Sonatype has analyzed which domains were abandoned and has claimed these domains.
Possible hijacking of downloads by redirecting to custom repositories
This one was the hardest to analyze and explain. The short story is: you’re safe, dependencies are only downloaded from repositories within their context. So there are two main questions: what is the context and what is the order? The order is described on the Repository Order page. The first group of repositories are defined in the settings.xml (both user and global). The second group of repositories are based on inheritence, with ultimately the super POM containing the URL to Maven Central. The third group is the most complex one but is important to understand the term context: repositories from the effective POMs from the dependency path to the artifact. So if a dependency was defined by another dependency or by a Maven project, it will also include their repositories. In the end this is not a bug, but a design feature.

Non-Security Updates

JBoss Web Services 5.4.3.Final
JBossWS 5.4.3.Final has been released and is available for download. The maven artifacts have also been released to the Maven repository. In this release, we fixed couple of Jakarta EE9 support issue and upgraded CXF to 3.3.10. Please have a look at the release notes for a full list of the improvements and bug fixes, feedback is welcome as always.


The Long-Term Outlook for CentOS 7 Support

With the December 2020 announcement that Red Hat was going to discontinue CentOS 8 at the end of 2021 (a shocking 8 years ahead of the stated end of life), many folks are wondering if there is any impact to CentOS 7 support. In this blog, we discuss the impact of that announcement on CentOS 7, look at the current status of CentOS 7 support options, and discuss the long-term support outlook for those using this popular Enterprise Linux distribution.

View all OpenUpdate editions >