[jira] [Comment Edited] (MJAR-252) Upgrade plexus-archiver to 3.6.0

["Mark Symons (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MJAR-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678167#comment-16678167 ] 

Mark Symons edited comment on MJAR-252 at 11/7/18 12:47 PM:
------------------------------------------------------------

I think that this issue should be reclassified as major/critical, as the update to {{plexus-archiver 3.6.0}} addresses [CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200]
{panel}
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
{panel}

Will maven-jar-plugin v3.1.1 be released soon?


was (Author: marks):
I think that this issue should be reclassified as major/critical. as the update to {{plexus-archiver 3.6.0}} addresses [CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200]
{panel}
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
{panel}

Will v3.1.1 be released soon?

> Upgrade plexus-archiver to 3.6.0
> --------------------------------
>
>                 Key: MJAR-252
>                 URL: https://issues.apache.org/jira/browse/MJAR-252
>             Project: Maven JAR Plugin
>          Issue Type: Dependency upgrade
>    Affects Versions: 3.1.1
>            Reporter: Karl Heinz Marbaise
>            Assignee: Karl Heinz Marbaise
>            Priority: Minor
>             Fix For: 3.1.1
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)