Red Hat was recently made aware that in certain Java repositories, we pull and build dependencies over HTTP instead of HTTPS. We recognize that using HTTP when HTTPS is available is less than desirable and are investigating the report. Importantly, using HTTP alone is not sufficient to effect an attack; an attacker needs to be in a position to perform a man-in-the-middle attack in the first place. The security of builds is important to Red Hat, so we will be taking steps to harden the process by changing calls to use HTTPS where possible.

Used only by our 6.4 RHDS and RHIPS images:

• https://www.github.com/jboss-openshift/openshift-kieserver/blob/master/pom.xml