http://maven.apache.org/docs/3.0.5/release-notes.html
Apache Maven 3.0.5 is a maintenance release to fix a security
issue CVE-2013-0253 Apache Maven 3.0.4
http://maven.apache.org/security.html
CVE-2013-0253 Apache Maven 3.0.4
Apache Maven 3.0.4 (with Apache Maven Wagon 2.1) has
introduced a non-secure SSL mode by default. This mode
disables all SSL certificate checking, including: host
name verification , date validity, and certificate chain.
Not validating the certificate introduces the possibility
of a man-in-the-middle attack.
All users are recommended to upgrade to Apache Maven 3.0.5
and Apache Maven Wagon 2.4.
Maven 2.2.1 aims to correct several critical regressions related to
the selection of the HttpClient-based Wagon implementation for
HTTP/HTTPS transfers in Maven 2.2.0. The new release reverts this
selection, reinstating the Sun-based - or lightweight - Wagon
implementation as the default for this sort of traffic. However, Maven
2.2.1 goes a step further to provide a means of selecting which
provider - or implementation - the user wishes to use for a particular
transfer protocol. More information on providers can be found in our
Guide to Wagon Providers.
In addition, Maven 2.2.1 addresses some long-standing problems related
to injecting custom lifecycle mappings and artifact handlers. These
custom components are now correctly loaded regardless of whether they
come from a plugin with the extensions flag enabled, or from a pure
build extension. In addition, custom artifact handlers now will be
used to configure the attributes of the main project artifact in
addition to any artifacts related to dependencies or project
attachments created during the build.
Maven 2.2.0 contains a few important changes that justify the version
upgrade, instead of simply naming it 2.1.1. First, the Java requirement
for Maven 2.2.0 has been upgraded to 1.5 or later. This upgrade was
planned for 2.1.0, but that release still contained binaries that were
compatible with JDK 1.4. In addition, due to some serious flaws in the
version-expression POM transformation included in 2.1.0, this feature
has been removed for the time being. Finally, some new default execution
IDs have been added to Maven to enable the separation of configuration
for plugins bound by the default lifecycle mappings, and for those
invoked directly from the command line.
Changes that may affect existing builds
* MNG-4143 - Starting in 2.2.0, Maven will run only on Java 1.5 and later.
You can still build projects for JDK1.4 and earlier using the approach
documented in the Guide to Building JDK 1.4 Projects on JDK 1.5.
* MNG-3401 - Executions with an id equal to default-phase (where phase is
a valid lifecycle phase) may have unexpected results as it will be merged
into the default lifecycle.
* MNG-4140/4179 - Version-expression resolution during installation and
deployment has been removed, returning to Maven 2.0.x behaviour.
Maven is a software project management and comprehension tool.
Based on the concept of a project object model (POM), Maven
can manage a project's build, reporting and documentation from
a central piece of information.
