From: David Pursehouse Date: Wed, 6 Jun 2018 04:34:34 +0000 (+0900) Subject: Update maven plugins to fix Zip Slip vulnerability X-Git-Tag: v5.0.0.201806131550-r~19 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=refs%2Fchanges%2F56%2F124056%2F1;p=jgit.git Update maven plugins to fix Zip Slip vulnerability Zip Slip [1] is an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. According to Maven's announcement [2] several plugins use plexus-archiver to unpack dependencies to disk and have been identified as potential triggers for exposing the vulnerability. Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin. Update them to the fixed versions reported in [2]. See the corresponding issues for the maven-dependency-plugin [3] and the maven-javadoc-plugin [4] for details. [1] https://snyk.io/research/zip-slip-vulnerability [2] https://maven.apache.org/security-plexus-archiver.html [3] https://issues.apache.org/jira/browse/MDEP-611 [4] https://issues.apache.org/jira/browse/MJAVADOC-520 Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43 Signed-off-by: David Pursehouse --- diff --git a/pom.xml b/pom.xml index af26c741d2..042b21e98e 100644 --- a/pom.xml +++ b/pom.xml @@ -213,7 +213,7 @@ 4.4.6 1.7.2 1.2.15 - 3.0.0 + 3.0.1 1.1.0 2.8.2 3.1.2 @@ -286,7 +286,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.0.2 + 3.1.1