[jira] [Created] (FELIX-5583) org.apache.felix.utils.json should be private
David Leangen created FELIX-5583: Summary: org.apache.felix.utils.json should be private Key: FELIX-5583 URL: https://issues.apache.org/jira/browse/FELIX-5583 Project: Felix Issue Type: Bug Components: Converter Reporter: David Leangen Assignee: David Leangen I believe that, as a "library", this package ought to be marked as private. If there are no objections, I will make the update. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[
https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15899771#comment-15899771
]
Stefan Seifert commented on FELIX-5579:
---
i think we can start the release process this week, so you should have it next
week.
> Bundle Plugin uses insecure maven-archiver 2.5
> --
>
> Key: FELIX-5579
> URL: https://issues.apache.org/jira/browse/FELIX-5579
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-3.2.0
>Reporter: Mark Symons
>Assignee: Stefan Seifert
> Fix For: maven-bundle-plugin-3.3.0
>
>
> maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a
> compile dependency.
> This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}
> v2.1. which has level 5 threat
> [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
> The CVE mentions "sorting algorithms in bzip2 compressing stream" in context
> of Apache Commons Compress, but here is [one defect
> reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms
> that the threat applies to plexus-archiver versions prior to 2.3.1
> Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses
> plexus-archiver 2.8.1) or later in order to mitigate the threat,
> Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[maven-bundle-plugin] release 3.3.0 soon?
we fixed a potential security issue in maven-bundle-plugin today (FELIX-5579 - security issue in old dependency). i also updated to bndlib 3.3.0 which was released in last September. if no one objects i will start a release 3.3.0 within the next 1-2 days. stefan
[jira] [Resolved] (FELIX-5582) maven-bundle-plugin: Make sure Closeable resources are closed
[ https://issues.apache.org/jira/browse/FELIX-5582?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-5582. --- Resolution: Fixed Completed: At revision: 1785859 > maven-bundle-plugin: Make sure Closeable resources are closed > - > > Key: FELIX-5582 > URL: https://issues.apache.org/jira/browse/FELIX-5582 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Stefan Seifert >Assignee: Stefan Seifert >Priority: Minor > Fix For: maven-bundle-plugin-3.3.0 > > > some resources that implement the Closeable interface are not closed properly > in maven-bundle-plugin. > this affects bnd Analyzer and Verifier objects. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (FELIX-5582) maven-bundle-plugin: Make sure Closeable resources are closed
Stefan Seifert created FELIX-5582: - Summary: maven-bundle-plugin: Make sure Closeable resources are closed Key: FELIX-5582 URL: https://issues.apache.org/jira/browse/FELIX-5582 Project: Felix Issue Type: Bug Components: Maven Bundle Plugin Affects Versions: maven-bundle-plugin-3.2.0 Reporter: Stefan Seifert Assignee: Stefan Seifert Priority: Minor Fix For: maven-bundle-plugin-3.3.0 some resources that implement the Closeable interface are not closed properly in maven-bundle-plugin. this affects bnd Analyzer and Verifier objects. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Resolved] (FELIX-5581) Update to bndlib 3.3.0
[ https://issues.apache.org/jira/browse/FELIX-5581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Seifert resolved FELIX-5581. --- Resolution: Fixed Completed: At revision: 1785858 > Update to bndlib 3.3.0 > -- > > Key: FELIX-5581 > URL: https://issues.apache.org/jira/browse/FELIX-5581 > Project: Felix > Issue Type: Improvement > Components: Maven Bundle Plugin >Affects Versions: maven-bundle-plugin-3.2.0 >Reporter: Stefan Seifert >Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > version 3.3.0 of bndlib was published in sept. 2016. > changelog: https://github.com/bndtools/bnd/wiki/Changes-in-3.3.0 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (FELIX-5581) Update to bndlib 3.3.0
Stefan Seifert created FELIX-5581: - Summary: Update to bndlib 3.3.0 Key: FELIX-5581 URL: https://issues.apache.org/jira/browse/FELIX-5581 Project: Felix Issue Type: Improvement Components: Maven Bundle Plugin Affects Versions: maven-bundle-plugin-3.2.0 Reporter: Stefan Seifert Assignee: Stefan Seifert Fix For: maven-bundle-plugin-3.3.0 version 3.3.0 of bndlib was published in sept. 2016. changelog: https://github.com/bndtools/bnd/wiki/Changes-in-3.3.0 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[
https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15899347#comment-15899347
]
Mark Symons commented on FELIX-5579:
Thank you for resolving the issue so speedily.
Is there a scheduled release date for maven-bundle-plugin-3.3.0?
When the release is made then I'll be able to create pull requests in a couple
of other projects (such as swagger-codegen) in order to update their version of
maven-bundle-plugin.
> Bundle Plugin uses insecure maven-archiver 2.5
> --
>
> Key: FELIX-5579
> URL: https://issues.apache.org/jira/browse/FELIX-5579
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-3.2.0
>Reporter: Mark Symons
>Assignee: Stefan Seifert
> Fix For: maven-bundle-plugin-3.3.0
>
>
> maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a
> compile dependency.
> This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}
> v2.1. which has level 5 threat
> [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
> The CVE mentions "sorting algorithms in bzip2 compressing stream" in context
> of Apache Commons Compress, but here is [one defect
> reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms
> that the threat applies to plexus-archiver versions prior to 2.3.1
> Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses
> plexus-archiver 2.8.1) or later in order to mitigate the threat,
> Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Resolved] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[
https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seifert resolved FELIX-5579.
---
Resolution: Fixed
Completed: At revision: 1785822
thanks for reporting - i've updated to maven-archiver 2.6
> Bundle Plugin uses insecure maven-archiver 2.5
> --
>
> Key: FELIX-5579
> URL: https://issues.apache.org/jira/browse/FELIX-5579
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-3.2.0
>Reporter: Mark Symons
>Assignee: Stefan Seifert
> Fix For: maven-bundle-plugin-3.3.0
>
>
> maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a
> compile dependency.
> This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}
> v2.1. which has level 5 threat
> [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
> The CVE mentions "sorting algorithms in bzip2 compressing stream" in context
> of Apache Commons Compress, but here is [one defect
> reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms
> that the threat applies to plexus-archiver versions prior to 2.3.1
> Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses
> plexus-archiver 2.8.1) or later in order to mitigate the threat,
> Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Assigned] (FELIX-5579) Bundle Plugin uses insecure maven-archiver 2.5
[
https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Seifert reassigned FELIX-5579:
-
Assignee: Stefan Seifert
Fix Version/s: maven-bundle-plugin-3.3.0
> Bundle Plugin uses insecure maven-archiver 2.5
> --
>
> Key: FELIX-5579
> URL: https://issues.apache.org/jira/browse/FELIX-5579
> Project: Felix
> Issue Type: Bug
> Components: Maven Bundle Plugin
>Affects Versions: maven-bundle-plugin-3.2.0
>Reporter: Mark Symons
>Assignee: Stefan Seifert
> Fix For: maven-bundle-plugin-3.3.0
>
>
> maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a
> compile dependency.
> This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}}
> v2.1. which has level 5 threat
> [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098].
> The CVE mentions "sorting algorithms in bzip2 compressing stream" in context
> of Apache Commons Compress, but here is [one defect
> reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms
> that the threat applies to plexus-archiver versions prior to 2.3.1
> Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses
> plexus-archiver 2.8.1) or later in order to mitigate the threat,
> Current release of maven-archiver is 3.1.1
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
