I see; I didn't realize it was possible to use maven 3 with wagon 1. Thanks for helping clarify this.
On Tue, Feb 3, 2015 at 10:23 AM, Emmanuel Bourg <ebo...@apache.org> wrote: > Le 03/02/2015 19:06, Christopher Currie a écrit : > > > Thanks; the issue is that I would like to see that CVE fixed for > > precise. It looks like precise doesn't have libwagon2-java, only > > libwagon-java. Has anyone worked with the Ubuntu security team, and can > > say whether they'd allow a *new* package to be added, to fix a security > > issue? > > If precise doesn't have libwagon2-java you are probably safe. The > description of CVE-2013-0253 states that wagon was vulnerable starting > with the version 2.1. And looking at the patch for wagon 2 [1], none of > the code modified exists in wagon 1. > > Emmanuel Bourg > > [1] > > https://sources.debian.net/src/wagon2/2.2-3%2Bnmu1/debian/patches/cve-2013-0253.patch/ > > -- Christopher Currie Engineering, Usermind <http://www.usermind.com> codemon...@usermind.com 206.353.2867 x109
