[jira] [Created] (FELIX-5583) org.apache.felix.utils.json should be private
David Leangen created FELIX-5583: Summary: org.apache.felix.utils.json should be private Key: FELIX-5583 URL: https://issues.apache.org/jira/browse/FELIX-5583 Project: Felix Issue Type: Bug Components: Converter Reporter: David Leangen Assignee: David Leangen I believe that, as a "library", this package ought to be marked as private. If there are no objections, I will make the update. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[ https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15899771#comment-15899771 ] Stefan Seifert commented on FELIX-5579: --- i think we can start the release process this week, so you should have it next week. > Bundle Plugin uses insecure maven-archiver 2.5 > -- > > Key: FELIX-5579 > URL: https://issues.apache.org/jira/browse/FELIX-5579 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Mark Symons >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a > compile dependency. > This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} > v2.1. which has level 5 threat > [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098]. > The CVE mentions "sorting algorithms in bzip2 compressing stream" in context > of Apache Commons Compress, but here is [one defect > reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms > that the threat applies to plexus-archiver versions prior to 2.3.1 > Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses > plexus-archiver 2.8.1) or later in order to mitigate the threat, > Current release of maven-archiver is 3.1.1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[maven-bundle-plugin] release 3.3.0 soon?
we fixed a potential security issue in maven-bundle-plugin today (FELIX-5579 - security issue in old dependency). i also updated to bndlib 3.3.0 which was released in last September. if no one objects i will start a release 3.3.0 within the next 1-2 days. stefan
[jira] [Resolved] (FELIX-5582) maven-bundle-plugin: Make sure Closeable resources are closed
[ https://issues.apache.org/jira/browse/FELIX-5582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-5582. --- Resolution: Fixed Completed: At revision: 1785859 > maven-bundle-plugin: Make sure Closeable resources are closed > - > > Key: FELIX-5582 > URL: https://issues.apache.org/jira/browse/FELIX-5582 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Stefan Seifert >Assignee: Stefan Seifert >Priority: Minor > Fix For: maven-bundle-plugin-3.3.0 > > > some resources that implement the Closeable interface are not closed properly > in maven-bundle-plugin. > this affects bnd Analyzer and Verifier objects. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (FELIX-5582) maven-bundle-plugin: Make sure Closeable resources are closed
Stefan Seifert created FELIX-5582: - Summary: maven-bundle-plugin: Make sure Closeable resources are closed Key: FELIX-5582 URL: https://issues.apache.org/jira/browse/FELIX-5582 Project: Felix Issue Type: Bug Components: Maven Bundle Plugin Affects Versions: maven-bundle-plugin-3.2.0 Reporter: Stefan Seifert Assignee: Stefan Seifert Priority: Minor Fix For: maven-bundle-plugin-3.3.0 some resources that implement the Closeable interface are not closed properly in maven-bundle-plugin. this affects bnd Analyzer and Verifier objects. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Resolved] (FELIX-5581) Update to bndlib 3.3.0
[ https://issues.apache.org/jira/browse/FELIX-5581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-5581. --- Resolution: Fixed Completed: At revision: 1785858 > Update to bndlib 3.3.0 > -- > > Key: FELIX-5581 > URL: https://issues.apache.org/jira/browse/FELIX-5581 > Project: Felix > Issue Type: Improvement > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Stefan Seifert >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > version 3.3.0 of bndlib was published in sept. 2016. > changelog: https://github.com/bndtools/bnd/wiki/Changes-in-3.3.0 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (FELIX-5581) Update to bndlib 3.3.0
Stefan Seifert created FELIX-5581: - Summary: Update to bndlib 3.3.0 Key: FELIX-5581 URL: https://issues.apache.org/jira/browse/FELIX-5581 Project: Felix Issue Type: Improvement Components: Maven Bundle Plugin Affects Versions: maven-bundle-plugin-3.2.0 Reporter: Stefan Seifert Assignee: Stefan Seifert Fix For: maven-bundle-plugin-3.3.0 version 3.3.0 of bndlib was published in sept. 2016. changelog: https://github.com/bndtools/bnd/wiki/Changes-in-3.3.0 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[ https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15899347#comment-15899347 ] Mark Symons commented on FELIX-5579: Thank you for resolving the issue so speedily. Is there a scheduled release date for maven-bundle-plugin-3.3.0? When the release is made then I'll be able to create pull requests in a couple of other projects (such as swagger-codegen) in order to update their version of maven-bundle-plugin. > Bundle Plugin uses insecure maven-archiver 2.5 > -- > > Key: FELIX-5579 > URL: https://issues.apache.org/jira/browse/FELIX-5579 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Mark Symons >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a > compile dependency. > This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} > v2.1. which has level 5 threat > [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098]. > The CVE mentions "sorting algorithms in bzip2 compressing stream" in context > of Apache Commons Compress, but here is [one defect > reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms > that the threat applies to plexus-archiver versions prior to 2.3.1 > Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses > plexus-archiver 2.8.1) or later in order to mitigate the threat, > Current release of maven-archiver is 3.1.1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Resolved] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[ https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-5579. --- Resolution: Fixed Completed: At revision: 1785822 thanks for reporting - i've updated to maven-archiver 2.6 > Bundle Plugin uses insecure maven-archiver 2.5 > -- > > Key: FELIX-5579 > URL: https://issues.apache.org/jira/browse/FELIX-5579 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Mark Symons >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a > compile dependency. > This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} > v2.1. which has level 5 threat > [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098]. > The CVE mentions "sorting algorithms in bzip2 compressing stream" in context > of Apache Commons Compress, but here is [one defect > reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms > that the threat applies to plexus-archiver versions prior to 2.3.1 > Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses > plexus-archiver 2.8.1) or later in order to mitigate the threat, > Current release of maven-archiver is 3.1.1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[ https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert reassigned FELIX-5579: - Assignee: Stefan Seifert Fix Version/s: maven-bundle-plugin-3.3.0 > Bundle Plugin uses insecure maven-archiver 2.5 > -- > > Key: FELIX-5579 > URL: https://issues.apache.org/jira/browse/FELIX-5579 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Mark Symons >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a > compile dependency. > This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} > v2.1. which has level 5 threat > [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098]. > The CVE mentions "sorting algorithms in bzip2 compressing stream" in context > of Apache Commons Compress, but here is [one defect > reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms > that the threat applies to plexus-archiver versions prior to 2.3.1 > Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses > plexus-archiver 2.8.1) or later in order to mitigate the threat, > Current release of maven-archiver is 3.1.1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)