(DEPRECATED) Apache Flink Mailing List archive.

[jira] [Created] (FLINK-4732) Maven junction plugin security threat

classic Classic list List threaded Threaded
1 message Options
Shang Yuanchun (Jira)
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (FLINK-4732) Maven junction plugin security threat

Shang Yuanchun (Jira)
Maximilian Michels created FLINK-4732:
-----------------------------------------

             Summary: Maven junction plugin security threat
                 Key: FLINK-4732
                 URL: https://issues.apache.org/jira/browse/FLINK-4732
             Project: Flink
          Issue Type: Bug
          Components: Build System
            Reporter: Maximilian Michels
            Assignee: Maximilian Michels
            Priority: Critical
             Fix For: 1.2.0, 1.1.3


We use the Maven Junction plugin http://pyx4j.com/pyx4j-maven-plugins/maven-junction-plugin/introduction.html to create a symbolic link to the build directory. On Windows, the plugin downloads an executable from the author's homepage which may contain vulnerable code. The plugin has not been updated since 2007.

I propose to remove the plugin while this security threat persists.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Free forum by Nabble Edit this page