felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Symons (JIRA)" <j...@apache.org>
Subject [jira] [Created] (FELIX-5580) Bundle Plugin uses insecure maven-archiver 2.5
Date Sat, 04 Mar 2017 14:16:45 GMT
Mark Symons created FELIX-5580:

             Summary: Bundle Plugin uses insecure maven-archiver 2.5
                 Key: FELIX-5580
                 URL: https://issues.apache.org/jira/browse/FELIX-5580
             Project: Felix
          Issue Type: Bug
          Components: Maven Bundle Plugin
    Affects Versions: maven-bundle-plugin-3.2.0
            Reporter: Mark Symons

maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a compile dependency.

This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}  v2.1. which has
level 5 threat [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].

The CVE mentions "sorting algorithms in bzip2 compressing stream" in context of Apache Commons
Compress,  but here is [one defect reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522]
that confirms that the threat applies to plexus-archiver versions prior to 2.3.1

Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses plexus-archiver 2.8.1)
or later in order to mitigate the threat,

Current release of maven-archiver is 3.1.1

This message was sent by Atlassian JIRA

View raw message