search

eclipse-jgit / jgit

JGit, the Java implementation of git
https://www.eclipse.org/jgit/
Other
92 stars 31 forks source link

Upgrade to Apache MINA SSHD 2.12.0 #16

Closed tomaswolf closed 5 months ago

tomaswolf commented 6 months ago

Description

Upstream will release a new release 2.12.0 soon. Update the minimum required version in JGit to 2.12.0.

Motivation

That upstream release includes the fix for CVE-2023-48795 ("strict KEX" protocol extension mitigating the "Terrapin attack").

By bumping the dependency in JGit o 2.12.0, JGit will profit from this CVE fix.

Alternatives considered

No response

Additional context

No response

tomaswolf commented 6 months ago

Upstream release is done and available at Maven Central.

tomaswolf commented 6 months ago

See Gerrit change 1174776. This will need license vetting.

I still don't know what exactly I'd have to do where (in Apache MINA SSHD or at clearlydefined or wherever) to make the dash license tool happy with new releases of sshd-osgi and sshd-sftp.

@msohn can you help with this again?

msohn commented 6 months ago

That's documented in the contributor guide section "Dependencies and License Check". To auto-generate iplab tickets run mvn clean install -Ddash.iplab.token="<gitlab token>" with a gitlab token with scope "api".

Meanwhile the license check succeeds, I guess the ClearlyDefined rating improved by automatic scanning.