[
https://issues.apache.org/jira/browse/MNG-5992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hervé Boutemy closed MNG-5992.
------------------------------
Resolution: Fixed
Assignee: Hervé Boutemy
Fix Version/s: (was: needing-scrub-3.4.0-fallout)
3.5.3
https://git-wip-us.apache.org/repos/asf?p=maven.git&a=commit&h=085ee9f27508f29ff5cbe418eff0eabc98ad1a95
> Git passwords are exposed as the Super POM still uses Maven Release Plugin
> 2.3.2
> --------------------------------------------------------------------------------
>
> Key: MNG-5992
> URL: https://issues.apache.org/jira/browse/MNG-5992
> Project: Maven
> Issue Type: Improvement
> Components: Bootstrap & Build, Plugins and Lifecycle, POM
> Affects Versions: 3.3.3, 3.3.9
> Environment: All
> Reporter: Ryan J. McDonough
> Assignee: Hervé Boutemy
> Priority: Critical
> Labels: security
> Fix For: 3.5.3
>
>
> The super POM defines version 2.3.2 of the Maven Release plugin. When using
> HTTP/HTTPS Git SCM URIs, Maven will printout the password in the logs. Thus,
> any CI system such as Jenkins, TravisCI, etc. will have the passwords exposed
> in the logs and in the console output. In the case of TravisCI, this will be
> publicly visible.
> The [Maven Release Plugin fixed this issue in
> MRELEASE-846|https://issues.apache.org/jira/browse/MRELEASE-846], but Maven
> core is still pointing at an exposed version of the Maven Release plugin. I
> have a test case that demonstrates the issue here:
> https://github.com/damnhandy/maven-publish-issue
> If you run the same build and explicitly define 2.5.3, the password is no
> longer displayed. This should be the default.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
