[jira] [Closed] (FLINK-4732) Maven junction plugin security threat

Maximilian Michels (JIRA) Tue, 04 Oct 2016 06:51:31 -0700

     [ 
https://issues.apache.org/jira/browse/FLINK-4732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Maximilian Michels closed FLINK-4732.
-------------------------------------
    Resolution: Fixed

master: 5a573c6bc29c313d34981336d5bfc05185d323d2
release-1.1: a31a22ec7fc08cce8da4e5e97010d1b2cf8124e7

> Maven junction plugin security threat
> -------------------------------------
>
>                 Key: FLINK-4732
>                 URL: https://issues.apache.org/jira/browse/FLINK-4732
>             Project: Flink
>          Issue Type: Bug
>          Components: Build System
>            Reporter: Maximilian Michels
>            Assignee: Maximilian Michels
>            Priority: Critical
>             Fix For: 1.2.0, 1.1.3
>
>
> We use the Maven Junction plugin 
> http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html 
> to create a symbolic link to the build directory. On Windows, the plugin 
> downloads an executable from the author's homepage which may be modified by 
> an attacker. The plugin has not been updated since 2007 and the maintainer 
> has not shown interest to fix the issue.
> I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Closed] (FLINK-4732) Maven junction plugin security threat

Reply via email to