diff options
| author | David Pursehouse | 2018-06-06 04:34:34 +0000 |
|---|---|---|
| committer | David Pursehouse | 2018-06-06 04:34:34 +0000 |
| commit | 0d908de53f5623223791dca59a1464d4cf2e3a51 (patch) | |
| tree | 44dd15a96dc4669c8a49a5816c7cf82ba02d2a72 /pom.xml | |
| parent | cb0abf787e576d676fc703cde6153bf8c0e08c1d (diff) | |
| download | jgit-0d908de53f5623223791dca59a1464d4cf2e3a51.tar.gz jgit-0d908de53f5623223791dca59a1464d4cf2e3a51.tar.xz jgit-0d908de53f5623223791dca59a1464d4cf2e3a51.zip | |
Update maven plugins to fix Zip Slip vulnerability
Zip Slip [1] is an arbitrary file write generic vulnerability, that can
be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war)
archive, that holds path traversal filenames.
According to Maven's announcement [2] several plugins use plexus-archiver to
unpack dependencies to disk and have been identified as potential triggers
for exposing the vulnerability.
Of those, JGit uses the maven-dependency-plugin and the maven-javadoc-plugin.
Update them to the fixed versions reported in [2].
See the corresponding issues for the maven-dependency-plugin [3] and the
maven-javadoc-plugin [4] for details.
[1] https://snyk.io/research/zip-slip-vulnerability
[2] https://maven.apache.org/security-plexus-archiver.html
[3] https://issues.apache.org/jira/browse/MDEP-611
[4] https://issues.apache.org/jira/browse/MJAVADOC-520
Change-Id: Id3ab2d6161db240f2ab8f82298fa3ecd7a930a43
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
Diffstat (limited to 'pom.xml')
| -rw-r--r-- | pom.xml | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -213,7 +213,7 @@ <httpcore-version>4.4.6</httpcore-version> <slf4j-version>1.7.2</slf4j-version> <log4j-version>1.2.15</log4j-version> - <maven-javadoc-plugin-version>3.0.0</maven-javadoc-plugin-version> + <maven-javadoc-plugin-version>3.0.1</maven-javadoc-plugin-version> <tycho-extras-version>1.1.0</tycho-extras-version> <gson-version>2.8.2</gson-version> <spotbugs-maven-plugin-version>3.1.2</spotbugs-maven-plugin-version> @@ -286,7 +286,7 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-dependency-plugin</artifactId> - <version>3.0.2</version> + <version>3.1.1</version> </plugin> <plugin> |