[ https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16315204#comment-16315204 ]
ASF GitHub Bot commented on MNG-5992: ------------------------------------- GitHub user slachiewicz opened a pull request: https://github.com/apache/maven/pull/152 [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3 Fix password printout to logs Credit to: Ryan J. McDonough You can merge this pull request into a Git repository by running: $ git pull https://github.com/slachiewicz/maven fix/MNG-5992-maven-release-plugin Alternatively you can review and apply these changes as the patch at: https://github.com/apache/maven/pull/152.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #152 ---- commit 285158e1f76667eea2b92c17fe770b226c15e259 Author: Sylwester Lachiewicz <slachiewicz@...> Date: 2018-01-07T11:22:11Z [MNG-5992] Upgrade default version of maven-release-plugin to 2.5.3 Fix password printout to logs Credit to: Ryan J. McDonough ---- > Git passwords are exposed as the Super POM still uses Maven Release Plugin > 2.3.2 > -------------------------------------------------------------------------------- > > Key: MNG-5992 > URL: https://issues.apache.org/jira/browse/MNG-5992 > Project: Maven > Issue Type: Improvement > Components: Bootstrap & Build, Plugins and Lifecycle, POM > Affects Versions: 3.3.3, 3.3.9 > Environment: All > Reporter: Ryan J. McDonough > Priority: Critical > Labels: security > Fix For: needing-scrub-3.4.0-fallout > > > The super POM defines version 2.3.2 of the Maven Release plugin. When using > HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus, > any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed > in the logs and in the console output. In the case of TravisCI, this will be > publicly visible. > The [Maven Release Plugin fixed this issue in > MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven > core is still pointing at an exposed version of the Maven Release plugin. I > have a test case that demonstrates the issue here: > https://github.com/damnhandy/maven-publish-issue > If you run the same build and explicitly define 2.5.3, the password is no > longer displayed. This should be the default. -- This message was sent by Atlassian JIRA (v6.4.14#64029)