[
https://issues.apache.org/jira/browse/FELIX-5580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Symons closed FELIX-5580.
------------------------------
Resolution: Duplicate
Duplicates FELIX-5579. Clicking "Create" created two issues!
> Bundle Plugin uses insecure maven-archiver 2.5
> ----------------------------------------------
>
> Key: FELIX-5580
> URL: https://issues.apache.org/jira/browse/FELIX-5580
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
> Affects Versions: maven-bundle-plugin-3.2.0
> Reporter: Mark Symons
>
> maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a
> compile dependency.
> This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}
> v2.1. which has level 5 threat
> [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
> The CVE mentions "sorting algorithms in bzip2 compressing stream" in context
> of Apache Commons Compress, but here is [one defect
> reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms
> that the threat applies to plexus-archiver versions prior to 2.3.1
> Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses
> plexus-archiver 2.8.1) or later in order to mitigate the threat,
> Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
