[
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16356595#comment-16356595
]
Hudson commented on MNG-5992:
-----------------------------
Build succeeded in Jenkins: Maven TLP (wip) » maven » master #33
See https://builds.apache.org/job/maven-wip/job/maven/job/master/33/
> Git passwords are exposed as the Super POM still uses Maven Release Plugin
> 2.3.2
> --------------------------------------------------------------------------------
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
> Issue Type: Improvement
> Components: Bootstrap & Build, Plugins and Lifecycle, POM
> Affects Versions: 3.3.3, 3.3.9
> Environment: All
> Reporter: Ryan J. McDonough
> Priority: Critical
> Labels: security
> Fix For: needing-scrub-3.4.0-fallout
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus,
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed
> in the logs and in the console output. In the case of TravisCI, this will be
> publicly visible.
> The [Maven Release Plugin fixed this issue in
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven
> core is still pointing at an exposed version of the Maven Release plugin. I
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no
> longer displayed. This should be the default.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
