You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Mark Symons (JIRA)" <ji...@apache.org> on 2017/03/04 14:16:45 UTC
[jira] [Created] (FELIX-5579) Bundle Plugin uses insecure
maven-archiver 2.5
Mark Symons created FELIX-5579:
----------------------------------
Summary: Bundle Plugin uses insecure maven-archiver 2.5
Key: FELIX-5579
URL: https://issues.apache.org/jira/browse/FELIX-5579
Project: Felix
Issue Type: Bug
Components: Maven Bundle Plugin
Affects Versions: maven-bundle-plugin-3.2.0
Reporter: Mark Symons
maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a compile dependency.
This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} v2.1. which has level 5 threat [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
The CVE mentions "sorting algorithms in bzip2 compressing stream" in context of Apache Commons Compress, but here is [one defect reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms that the threat applies to plexus-archiver versions prior to 2.3.1
Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses plexus-archiver 2.8.1) or later in order to mitigate the threat,
Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)