Quellcode durchsuchen
Update maven plugins to fix Zip Slip vulnerability
Zip Slip [1] is an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. According to Maven's announcement [2] several plugins use plexus-archiver to unpack dependencies to disk and have been identified as potential triggers for exposing the vulnerability. Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin. Update them to the fixed versions reported in [2]. See the corresponding issues for the maven-dependency-plugin [3] and the maven-javadoc-plugin [4] for details. [1] https://snyk.io/research/zip-slip-vulnerability [2] https://maven.apache.org/security-plexus-archiver.html [3] https://issues.apache.org/jira/browse/MDEP-611 [4] https://issues.apache.org/jira/browse/MJAVADOC-520 Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43 Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>tags/v5.0.0.201806131550-r
David Pursehouse
vor 6 Jahren
1 geänderte Dateien mit 2 neuen und 2 gelöschten Zeilen
+ 2
- 2
pom.xml
Datei anzeigen
| @@ -213,7 +213,7 @@ | |||
| <httpcore-version>4.4.6</httpcore-version> | |||
| <slf4j-version>1.7.2</slf4j-version> | |||
| <log4j-version>1.2.15</log4j-version> | |||
| <maven-javadoc-plugin-version>3.0.0</maven-javadoc-plugin-version> | |||
| <maven-javadoc-plugin-version>3.0.1</maven-javadoc-plugin-version> | |||
| <tycho-extras-version>1.1.0</tycho-extras-version> | |||
| <gson-version>2.8.2</gson-version> | |||
| <spotbugs-maven-plugin-version>3.1.2</spotbugs-maven-plugin-version> | |||
| @@ -286,7 +286,7 @@ | |||
| <plugin> | |||
| <groupId>org.apache.maven.plugins</groupId> | |||
| <artifactId>maven-dependency-plugin</artifactId> | |||
| <version>3.0.2</version> | |||
| <version>3.1.1</version> | |||
| </plugin> | |||
| <plugin> | |||
Laden…