Release Notes – Maven 3.8.1

The Apache Maven team would like to announce the release of Maven 3.8.1 .
ace 3.8.1 is available for download .
Maven is a software stick out management and comprehension cock. Based on the concept of a visualize object model ( POM ), Maven can manage a stick out ‘s build up, report, and documentation from a cardinal place .
The core release is independent of plugin releases. far releases of plugins will be made individually. See the PluginList for more information.

If you have any questions, please consult :

• the web site: https://flickroom.net/
• the maven-user mailing list: https://flickroom.net/mailing-lists.html
• the reference documentation: https://flickroom.net/ref/3.8.1/

Overview about the changes

This unblock covers two cystic fibrosis :

CVE-2021-26291

We received a report from Jonathan Leitschuh about a vulnerability of custom repositories in colony POMs. We ‘ve split this up into three separate issues :

• possible Man-In-The-Middle-Attack due to custom repositories using HTTP
  More and more repositories use HTTPS nowadays, but this has n’t constantly been the character. This means that Maven Central contains POMs with customs repositories that refer to a URL over HTTP. This makes downloads via such depository a aim for a MITM approach. At the lapp time, developers are credibly not mindful that for some downloads an insecure URL is being used. Because upload POMs to Maven Central are immutable, a exchange for Maven was required. To solve this, we extended the mirror shape with argument, and we added a new external:http:* mirror selector ( like existing external:* ), meaning “ any external URL using HTTP ”.
  The decision was made to block such external HTTP repositories by default : this is done by providing a mirror in the conf/settings.xml blocking insecure HTTP external URLs .
• possible Domain Hijacking ascribable to custom repositories using abandoned domains
  Sonatype has analyzed which domains were abandoned and has claimed these domains .
• potential highjacking of downloads by redirecting to custom repositories
  This one was the hardest to analyze and explain. The short history is : you ‘re safe, dependencies are only downloaded from repositories within their context. So there are two independent questions : what is the context and what is the order ? The regulate is described on the Repository Order page. The first group of repositories are defined in the settings.xml ( both drug user and global ). The second group of repositories are based on inheritence, with ultimately the extremely POM containing the URL to Maven Central. The third base group is the most complex one but is important to understand the terminus context : repositories from the effective POMs from the dependence path to the artifact. so if a addiction was defined by another colony or by a Maven visualize, it will besides include their repositories. In the conclusion this is not a bug, but a design feature .

CVE-2020-13956

Apache HttpClient is a transitive verb colony of Maven Resolver via Maven Wagon, so we ‘ve updated those versions as part of this release .

Why does this version have the value 3.8.1?

• Why not 3.6.4 ?
  This is not just a bugfix as it contains three features that cause a change of default behavior ( external HTTP insecure URLs are now blocked by default ) : your builds may fail when using this raw Maven spill, if you use now block repositories. Please check and finally fix before upgrade.

  Read more: Step-By-Step Process to Upload App to Google Play Store

• Why not 3.7.0 ?
  Apache Maven 3.7.0 has been advertised in the past that it would be the first release where you could optionally activate the build/consumer feature : the adaptation containing this sport has been renamed to 4.0.0. Reusing 3.7.0 might lead to confusion, therefore we picked the adjacent available minor adaptation .
• Why not 3.8.0 ?
  With every unblock there ‘s a 72h+ vote period. During the vote of 3.8.0 a microbe was discovered, one that was crucial enough to cancel the vote. With Maven we burn versions, to ensure we ‘re always talking about the like “ version ”. This manner there will be never confusion about which Maven 3.8.0 one was using .

How to fix when I get a HTTP repository blocked?

If the repository is defined in your pom.xml, please fix it in your source code .
If the repository is defined in one of your dependencies POM, you ‘ll get a message like :

[ERROR] Failed to execute goal on project test: Could not resolve dependencies for project xxx: Failed to collect dependencies at my.test:dependency:version -> my.test.transitive:transitive:version: Failed to read artifact descriptor for my.test.transitive:transitive:jar:version: Could not transfer artifact my.test.transitive:transitive:pom:version from/to maven-default-http-blocker (http://0.0.0.0/): Blocked mirror for repositories: [blocked-repository-id (http://blocked.repository.org, default, releases+snapshots)]

Options to fix are :

• upgrade the dependence version to a newer version that replaced the disused HTTP repository URL with a HTTPS one ,
• keep the dependence version but define a mirror in your settings .

The detailed issue list

Bug

[MNG-7128] - improve error message when blocked repository defined in build POM

New Feature

[MNG-7116] - Add support for mirror selector on external:http:*
[MNG-7117] - Add support for blocking mirrors
[MNG-7118] - Block external HTTP repositories by default

addiction upgrade

[MNG-7119] - Upgrade Maven Wagon to 3.4.3
[MNG-7123] - Upgrade Maven Resolver to 1.6.2

The full tilt of changes can be found in our issue management system .