Re: CVE-2021-26291 for plugin writers
in fact, whatever you do in your plugin POM, they are provided by Maven core at runtime (ignoring the precise version the plugin asked for) but marking them provided in your plugin pom.xml makes this fact more visible Regards, Hervé Le jeudi 31 août 2023, 03:15:15 CEST Jeremy Landis a écrit : > Make sure your maven artifacts are provided scope then your users can > continue using old versions just fine to the 3.3.9 support level you have > now. > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android<https://aka.ms/AAb9ysg> > > From: Anton Vodonosov > Sent: Monday, August 28, 2023 11:14:30 AM > To: dev@maven.apache.org > Subject: CVE-2021-26291 for plugin writers > > Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version: > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven.apach > e.org%2Fdocs%2F3.8.1%2Frelease-notes.html&data=05%7C01%7C%7Cfb1603297a0149d3 > 585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C63828832493462 > 1732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1 > haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYAH%2FA7JWCBPcZ%2F4wNuUVHJCiNcrh0 > oB1C8cYeIDhu0%3D&reserved=0<https://maven.apache.org/docs/3.8.1/release-note > s.html> > > That's the best explanation of this CVE of all I saw online. > > But it misses guide for plugin authors. > > GitHub's security scanner created this alert for my plugin > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com% > 2Favodonosov%2Fhashver-maven-plugin%2Fsecurity%2Fdependabot%2F3&data=05%7C01 > %7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C > 1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI > joiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rB3V4hX6%2Ba > N9B8yhv7yrQolTXDL7USf0VkLn75fFvmU%3D&reserved=0<https://github.com/avodonoso > v/hashver-maven-plugin/security/dependabot/3> and a corresponding pull > request, where it suggest to change > dependency maven-core from 3.3.8 to 3.8.1: > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com% > 2Favodonosov%2Fhashver-maven-plugin%2Fpull%2F11&data=05%7C01%7C%7Cfb1603297a > 0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C63828832 > 4934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT > iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=09QeFG3AtERkHZAQ0Wyd%2BjIJMa > YQmYqf8qoNl20K%2FZ4%3D&reserved=0<https://github.com/avodonosov/hashver-mave > n-plugin/pull/11> > > I am reluctant to commit this change because > I am afraid the plugin may stop working for users of older maven versions. > I suppose this CVE is not relevant to plugin authors, my reasoning > is in the pull request comments. > > Am I right that the CVE does not affect the plugin? > > It would be good if the 3.8.1 release notes were extended with explanations > is it safe for plugins to depend on older versions of maven libs. > > Best regards, > - Anton > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: CVE-2021-26291 for plugin writers
Make sure your maven artifacts are provided scope then your users can continue using old versions just fine to the 3.3.9 support level you have now. Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/AAb9ysg> From: Anton Vodonosov Sent: Monday, August 28, 2023 11:14:30 AM To: dev@maven.apache.org Subject: CVE-2021-26291 for plugin writers Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaven.apache.org%2Fdocs%2F3.8.1%2Frelease-notes.html&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EYAH%2FA7JWCBPcZ%2F4wNuUVHJCiNcrh0oB1C8cYeIDhu0%3D&reserved=0<https://maven.apache.org/docs/3.8.1/release-notes.html> That's the best explanation of this CVE of all I saw online. But it misses guide for plugin authors. GitHub's security scanner created this alert for my plugin https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fsecurity%2Fdependabot%2F3&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rB3V4hX6%2BaN9B8yhv7yrQolTXDL7USf0VkLn75fFvmU%3D&reserved=0<https://github.com/avodonosov/hashver-maven-plugin/security/dependabot/3> and a corresponding pull request, where it suggest to change dependency maven-core from 3.3.8 to 3.8.1: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Favodonosov%2Fhashver-maven-plugin%2Fpull%2F11&data=05%7C01%7C%7Cfb1603297a0149d3585e08dba7d986e8%7C84df9e7fe9f640afb435%7C1%7C0%7C638288324934621732%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=09QeFG3AtERkHZAQ0Wyd%2BjIJMaYQmYqf8qoNl20K%2FZ4%3D&reserved=0<https://github.com/avodonosov/hashver-maven-plugin/pull/11> I am reluctant to commit this change because I am afraid the plugin may stop working for users of older maven versions. I suppose this CVE is not relevant to plugin authors, my reasoning is in the pull request comments. Am I right that the CVE does not affect the plugin? It would be good if the 3.8.1 release notes were extended with explanations is it safe for plugins to depend on older versions of maven libs. Best regards, - Anton - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
CVE-2021-26291 for plugin writers
Maven 3.8.1 release notes describe CVE-2021-26291 fixed in that version: https://maven.apache.org/docs/3.8.1/release-notes.html That's the best explanation of this CVE of all I saw online. But it misses guide for plugin authors. GitHub's security scanner created this alert for my plugin https://github.com/avodonosov/hashver-maven-plugin/security/dependabot/3 and a corresponding pull request, where it suggest to change dependency maven-core from 3.3.8 to 3.8.1: https://github.com/avodonosov/hashver-maven-plugin/pull/11 I am reluctant to commit this change because I am afraid the plugin may stop working for users of older maven versions. I suppose this CVE is not relevant to plugin authors, my reasoning is in the pull request comments. Am I right that the CVE does not affect the plugin? It would be good if the 3.8.1 release notes were extended with explanations is it safe for plugins to depend on older versions of maven libs. Best regards, - Anton - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org