[FELIX-5580] Bundle Plugin uses insecure maven-archiver 2.5 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: maven-bundle-plugin-3.2.0
Fix Version/s: None
Component/s: Maven Bundle Plugin
Labels:
None

Description

maven-bundle-plugin includes org.apache.maven:maven-archiver 2.5 as a compile dependency.

This version of maven-archiver uses org.codehaus.plexus:plexus-archiver v2.1. which has level 5 threat CVE-2012-2098.

The CVE mentions "sorting algorithms in bzip2 compressing stream" in context of Apache Commons Compress, but here is one defect reference that confirms that the threat applies to plexus-archiver versions prior to 2.3.1

Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses plexus-archiver 2.8.1) or later in order to mitigate the threat,

Current release of maven-archiver is 3.1.1

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mark Symons

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Mar/17 14:16

Updated:: 04/Mar/17 14:18

Resolved:: 04/Mar/17 14:18