subject:"\[jira\] \[Commented\] \(FLINK\-4732\) Maven junction plugin security threat"

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545403#comment-15545403
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2586
  
Merged to `master` and `release-1.1`.

@uce I also like the symbolic link. I contacted the maintainer of the 
plugin because it wouldn't be hard to fix this nowadays with Java 7+ which 
supports the creation of symbolic links. I think the lack of this was the 
reason why the author chose to download a binary. However, I don't know why he 
didn't simply ship it with the jar which should have been possible.

  


> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545390#comment-15545390
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

Github user asfgit closed the pull request at:

https://github.com/apache/flink/pull/2586


> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15545385#comment-15545385
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2586
  
Merging to both branches.


> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544936#comment-15544936
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

Github user uce commented on the issue:

https://github.com/apache/flink/pull/2586
  
Thanks! It's good to address this. I really liked the symbolic link, maybe 
we can enable it again after this has been resolved by the Maven plugin.

+1 to merge this to `master` and `release-1.1` branches.


> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544871#comment-15544871
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

Github user mxm commented on the issue:

https://github.com/apache/flink/pull/2586
  
CC @uce 


> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

2016-10-04 Thread ASF GitHub Bot (JIRA)


[ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15544870#comment-15544870
 ] 

ASF GitHub Bot commented on FLINK-4732:
---

GitHub user mxm opened a pull request:

https://github.com/apache/flink/pull/2586

[FLINK-4732] remove maven junction plugin

On Windows, the plugin may download code from the author's web
site. The downloaded file is not signed in the same way as Maven
artifacts from Maven central which have to be signed with the
developer's key. This could be a potential target for attackers.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/mxm/flink FLINK-4732

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/flink/pull/2586.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #2586


commit dcdac00a0432f66bbf2992c8cfcc502d41a7d8c2
Author: Maximilian Michels 
Date:   2016-10-04T09:12:35Z

[FLINK-4732] remove maven junction plugin

On Windows, the plugin may download code from the author's web
site. The downloaded file is not signed in the same way as Maven
artifacts from Maven central which have to be signed with the
developer's key. This could be a potential target for attackers.




> Maven junction plugin security threat
> -
>
> Key: FLINK-4732
> URL: https://issues.apache.org/jira/browse/FLINK-4732
> Project: Flink
>  Issue Type: Bug
>  Components: Build System
>Reporter: Maximilian Michels
>Assignee: Maximilian Michels
>Priority: Critical
> Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

[jira] [Commented] (FLINK-4732) Maven junction plugin security threat

6 matches

Site Navigation

Mail list logo

Footer information