[ https://issues.apache.org/jira/browse/FELIX-5579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Seifert closed FELIX-5579. --------------------------------- > Bundle Plugin uses insecure maven-archiver 2.5 > ---------------------------------------------- > > Key: FELIX-5579 > URL: https://issues.apache.org/jira/browse/FELIX-5579 > Project: Felix > Issue Type: Bug > Components: Maven Bundle Plugin > Affects Versions: maven-bundle-plugin-3.2.0 > Reporter: Mark Symons > Assignee: Stefan Seifert > Fix For: maven-bundle-plugin-3.3.0 > > > maven-bundle-plugin includes {{org.apache.maven:maven-archiver}} 2.5 as a > compile dependency. > This version of maven-archiver uses {{org.codehaus.plexus:plexus-archiver}} > v2.1. which has level 5 threat > [CVE-2012-2098|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2098]. > The CVE mentions "sorting algorithms in bzip2 compressing stream" in context > of Apache Commons Compress, but here is [one defect > reference|https://bugzilla.redhat.com/show_bug.cgi?id=951522] that confirms > that the threat applies to plexus-archiver versions prior to 2.3.1 > Thus, upgrade Bundle Plugin usage of maven-archiver to 2.6 (which uses > plexus-archiver 2.8.1) or later in order to mitigate the threat, > Current release of maven-archiver is 3.1.1 -- This message was sent by Atlassian JIRA (v6.3.15#6346)