jsch/jsch.changes

426 lines
18 KiB
Plaintext
Raw Permalink Normal View History

-------------------------------------------------------------------
Wed Dec 20 12:47:08 UTC 2023 - Gus Kenion <gkenion@suse.com>
- Upgrade to version 0.2.15, which includes fix for SSH protocol
vulnerability (bsc#1218134, CVE-2023-48795)
* Changes in 0.2.15:
+ Address CVE-2023-48795 by adding support for new strict key
exchange extension
+ Add support for ext-info-in-auth@openssh.com extension
+ Introduce two new config options to control usage of the new
strict key exchange extension:
~ enable_strict_kex (set to yes by default)
~ require_strict_kex (set to no by default)
~ If either option (or both) is enabled, then JSch will
attempt to use the new strict key exchange extension.
~ If the require_strict_kex option is enabled and JSch detects
the server does not support it, then JSch will terminate the
connection and throw an exception.
~ If the require_strict_kex option is not enabled and JSch
detects the server does not support it, then JSch will
fallback and proceed with the connection without using the
new extension.
+ This gives users the ability to enable a strong security
posture if needed and avoid proceeding with connections to
potentially insecure servers.
* Changes in 0.2.14:
+ #450 use Socket.connect() with a timeout that has been
supported since Java 1.4 instead of using old method of
creating a separate thread and joining to that thread with
timeout
* Changes in 0.2.13:
+ #411 Add flush operation from Fix added is/jsch#39,
with new config option to allow disabling in case it causes
regressions.
+ #403 add a warning when Channel.getInputStream() or
Channel.getExtInputStream() is called after Channel.connect().
* Changes in 0.2.12:
+ Further refine previous fixes for windows line endings in PEM
keys
+ #392 replace call to BigInteger.intValueExact to remain
compatible with android api 30
+ Introduce JSchSessionDisconnectException to allow the
reasonCode to be retrieved without String parsing
+ Introduce specific JSchException for HostKey related failures
* Changes in 0.2.11:
+ update dependencies changes
+ #369 fix multi-line PEM key parsing to work with windows line
endings due to regression from previous fix for #362.
* Changes in 0.2.10:
+ Fix new Java 21 compiler warning: possible 'this' escape
before subclass is fully initialized
+ Tweak OSGi bundle manifest to allow Log4j 3
+ #362 fix PEM key parsing to work with windows line endings
+ #361 guard against UIKeyboardInteractive implementations that
include NULL elements in the String[] returned from
promptKeyboardInteractive()
+ Add a default implmentation of the deprecated decrypt() method
to the Identity interface that throws an
UnsupportedOperationException
-------------------------------------------------------------------
Sat Jun 3 11:03:46 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Migrate from com.jcraft:jsch to com.github.mwiede:jsch fork
(bsc#1211955)
* Alias to the old artifact since the new one is drop-in
replacement
* Keep the old OSGi bundle symbolic name to avoid extensive
patching of eclipse stack
- Upgrade to version 0.2.9
* Changes of 0.2.9
+ various improvements, #295
~ #293 allow UserAuthNone to be extended.
~ Make JGSS module optional.
~ Tweak OSGi bundle manifest:
~ Avoid self-import.
~ Mark JGSS as optional.
~ Loosen import versions of dependencies.
~ Correctly adhere to the Multi-release JAR spec by ensuring
all public classes under versioned directories preside over
classes present in the top-level directory.
~ Eliminate stray System.err.println() calls.
~ Change PageantConnector to use JNA's built-in support for
User32.SendMessage().
+ Improve error handling in InputStream.close() for SFTP
channels, #331
* Changes of 0.2.8
+ activate sourcecode formatting, #247
+ build improvements, #279
+ #287 add algorithm type information to algorithm negotiation
logs, #290
+ wrap NoClassDefFoundError's for invalid private keys, #289 and
#290
* Changes of 0.2.7
+ #265 change buffer_margin computation to be dynamic based upon
the MAC to allow connections that advertise small maximum
packet sizes.
+ #266 fix PuTTY key parsing to work with unix line endings.
+ Add support for ECDSA and EdDSA type PuTTY keys.
+ #71 add support for PuTTY version 3 format keys.
~ Encrypted PuTTY version 3 format keys requires Bouncy
Castle (bcprov-jdk18on).
+ Eliminate KeyPairDeferred and instead change handling of
OpenSSH V1 type keys to be more like other KeyPair types.
+ Be more vigilant about clearing private key data.
+ Improve PKCS8 key handling and add support for PKCS5 2.1
encryption.
+ Add support for ECDSA type PKCS8 keys.
+ Add support for SCrypt type KDF for PKCS8 keys.
~ PKCS8 keys using SCrypt requires Bouncy Castle
(bcprov-jdk18on).
+ Add support for EdDSA type PKCS8 keys.
~ EdDSA type PKCS8 keys requires Bouncy Castle
(bcprov-jdk18on).
+ Attempt to authenticate using other signature algorithms
supported by the same public key.
~ Allow this behavior to be disabled via
try_additional_pubkey_algorithms config option.
° Some servers incorrectly respond with
SSH_MSG_USERAUTH_PK_OK to an initial auth query that they
don't actually support for RSA keys.
+ Add a new config option enable_pubkey_auth_query to allow
skipping auth queries and proceed directly to attempting
full SSH_MSG_USERAUTH_REQUEST's.
+ Add a new config option enable_auth_none to control whether
an initial auth request for the method none is sent to detect
all supported auth methods available on the server.
* Changes of 0.2.6
+ Include host alias instead of the real host in messages and
exceptions, #257
+ Fix missing keySize set when loading V1 RSA keys, #258
+ Enhancement to present KeyPair.getKeyTypeString() method, #259
* Changes of 0.2.5
+ Explictly free resources in Compression implementations, #241
+ Fix integration test failures on Apple Silicon by skipping
OpenSSH 7.4 tests, #227
+ generate osgi bundle manifest data for jar #248, #249
* Changes of 0.2.4
+ Improved excepton handling by @norrisjeremy in #200
* Changes of 0.2.3
+ #188 fix private key length checks for ssh-ed25519 and
ssh-ed448, #189
* Changes of 0.2.2
+ setup jdk for code-ql analysis, #151
+ misc improvements, #152
+ Fixing Issue #131, #134
+ Update link to bcrypt, #157
* Changes of 0.2.1
+ Allow to set a Logger per JSch-instance rather than a VM-wide
one, #128
+ Preliminary changes prior to Javadoc work, #126
+ remove check to allow setting any filename encoding with any
server version #137, #142
* Changes of 0.2.0
+ Disable RSA/SHA1 signature algorithm by default #75
+ Add basic Logger implementations that can be optionally
utilized with JSch.setLogger():
~ JulLogger, using java.util.logging.Logger
~ JplLogger, using Java 9's JEP 264
~ Log4j2Logger, using Apache Log4j 2
~ Slf4jLogger, using SLF4J
+ Fix client version to be compliant with RFC 4253 section 4.2
by not including minus sign characters #115
+ Add java.util.zip based compression implementation #114
~ This is based upon the CompressionJUZ implementation posted
to the JSch-users mailing list in 2012 by the original JSch
author
~ The existing JZlib implementation remains the default to
maintain strict RFC 4253 section 6.2 compliance
° To use the new implementation globally, execute
JSch.setConfig("zlib@openssh.com",
"com.jcraft.jsch.juz.Compression") +
JSch.setConfig("zlib", "com.jcraft.jsch.juz.Compression")
° To use the new implementation per session, execute
session.setConfig("zlib@openssh.com",
"com.jcraft.jsch.juz.Compression")
+ session.setConfig("zlib",
"com.jcraft.jsch.juz.Compression")
* Changes of 0.1.72
+ Switch chacha20-poly1305@openssh.com algorithm to a pure
Bouncy Castle based implementation
+ implement openssh config behavior to handle append, prepend
and removal of algorithms #104
* Changes of 0.1.71
+ Address #98 by restoring JSch.VERSION
* Changes of 0.1.70
+ Address #89 by fixing rare ECDSA signature validation issue
+ Address #93 by always setting the "want reply" flag for "env"
type channel requests to false
* Changes of 0.1.69
+ Address #83 by sending CR LF at the end of the identification
string
+ Fix earlier change for #76 that failed to correctly make the
"Host" keyword case-insensitive
+ Fix PageantConnector struct class visibility #86
* Changes of 0.1.68
+ Added support for the rijndael-cbc@lysator.liu.se algorithm
+ Added support for the hmac-ripemd160,
hmac-ripemd160@openssh.com and hmac-ripemd160-etm@openssh.com
algorithms using Bouncy Castle
+ Added support for various algorithms from RFC 4253 and
RFC 4344 using Bouncy Castle
~ cast128-cbc
~ cast128-ctr
~ twofish-cbc
~ twofish128-cbc
~ twofish128-ctr
~ twofish192-cbc
~ twofish192-ctr
~ twofish256-cbc
~ twofish256-ctr
+ Added support for the seed-cbc@ssh.com algorithm using Bouncy
Castle
* Changes of 0.1.67
+ Added support for the blowfish-ctr algorithm from RFC 4344
+ Fix bug where ext-info-c was incorrectly advertised during
rekeying
~ According to RFC 8308 section 2.1, ext-info-c should only
advertised during the first key exchange
+ Address #77 by attempting to add compatibility with older
Bouncy Castle releases
* Changes of 0.1.66
+ Added support for RFC 8308 extension negotiation and
server-sig-algs extension
~ This support is enabled by default, but can be controlled
via the enable_server_sig_algs config option (or
jsch.enable_server_sig_algs system property)
~ When enabled and a server-sig-algs message is received from
the server, the algorithms included by the server and also
present in the PubkeyAcceptedKeyTypes config option will be
attempted first when using publickey authentication
~ Additionally if the server is detected as OpenSSH version
7.4, the rsa-sha2-256 and rsa-sha2-512 algorithms will be
added to the received server-sig-algs as a workaround for
OpenSSH bug 2680
+ Added support for various algorithms supported by Tectia
(ssh.com):
~ diffie-hellman-group14-sha224@ssh.com
~ diffie-hellman-group14-sha256@ssh.com
~ diffie-hellman-group15-sha256@ssh.com
~ diffie-hellman-group15-sha384@ssh.com
~ diffie-hellman-group16-sha384@ssh.com
~ diffie-hellman-group16-sha512@ssh.com
~ diffie-hellman-group18-sha512@ssh.com
~ diffie-hellman-group-exchange-sha224@ssh.com
~ diffie-hellman-group-exchange-sha384@ssh.com
~ diffie-hellman-group-exchange-sha512@ssh.com
~ hmac-sha224@ssh.com
~ hmac-sha256@ssh.com
~ hmac-sha256-2@ssh.com
~ hmac-sha384@ssh.com
~ hmac-sha512@ssh.com
~ ssh-rsa-sha224@ssh.com
~ ssh-rsa-sha256@ssh.com
~ ssh-rsa-sha384@ssh.com
~ ssh-rsa-sha512@ssh.com
+ Added support for SHA224 to FingerprintHash
+ Fixing #52
+ Deprecate void setFilenameEncoding(String encoding) in favor
of void setFilenameEncoding(Charset encoding) in ChannelSftp
+ Added support for rsa-sha2-256 and rsa-rsa2-512 algorithms to
ChannelAgentForwarding
+ Address #65 by adding ssh-agent support derived from
jsch-agent-proxy
~ See examples/JSchWithAgentProxy.java for simple example
~ ssh-agent support requires either Java 16's JEP 380 or the
addition of junixsocket to classpath
~ Pageant support is untested and requires the addition of JNA
to classpath
+ Added support for the following algorithms with older Java
releases by using Bouncy Castle:
~ ssh-ed25519
~ ssh-ed448
~ curve25519-sha256
~ curve25519-sha256@libssh.org
~ curve448-sha512
~ chacha20-poly1305@openssh.com
* Changes of 0.1.65
+ Added system properties to allow manipulation of various
crypto algorithms used by default
+ Integrated JZlib, allowing use of zlib@openssh.com and zlib
compressions without the need to provide the JZlib jar-file
+ Modularized the jar-file for use with Java 9 or newer
+ Added runtime controls for the min/max/preferred sizes used
for diffie-hellman-group-exchange-sha256 and
diffie-hellman-group-exchange-sha1
+ Renamed PubkeyAcceptedKeyTypes config to
PubkeyAcceptedAlgorithms to match recent changes in OpenSSH
(PubkeyAcceptedKeyTypes is still accepted for backward
compatibility)
+ Reduced number of algorithms that are runtime checked by
default via CheckCiphers, CheckMacs, CheckKExes and
CheckSignatures to improve runtime performance
* Changes of 0.1.64
+ #55 bug fix
* Changes of 0.1.63
+ fix for #42
* Changes 0.1.62
+ #13 reject HostKey with some servers
+ #20 Include TestBCrypt.java unit test
+ #21 Misc cleanup
+ #27 Update Testcontainers to newest version to fix test
failures
+ #34 NPE with openssh v1 format
* Changes 0.1.61
+ Add support for chacha20-poly1305@openssh.com, ssh-ed25519,
ssh-ed448, curve448-sha512, diffie-hellman-group15-sha512
and diffie-hellman-group17-sha512.
This makes use of the new EdDSA feature added in Java 15's
JEP 339. #17
+ added integration test for public key authentication #19
* Changes of 0.1.60
+ support for openssh-v1-private-key format
+ Fix bug with AEAD ciphers when compression is used. #15
* Changes of 0.1.59
+ fixing issue #6 (originally from
https://sourceforge.net/p/jsch/mailman/message/36872566/)
* Changes of 0.1.58
+ adds support for more algorithms, see #4
* Changes of 0.1.57
+ support for rsa-sha2-256 and rsa-sha2-512. #1
* Changes of 0.1.56
+ support for direct-streamlocal@openssh.com
(see SocketForwardingL.java)
- Removed patches:
* jsch-0.1.54-sourcetarget.patch
* jsch-osgi-manifest.patch
+ both problems are handled differently in the new version
- Added patches:
* jsch-junixsocket.patch
+ disable building with dependency that we don't have
* jsch-log4j.patch
+ disable building with log4j support in order to avoid a
huge build cycle
-------------------------------------------------------------------
Sat Mar 19 21:51:39 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Modified patch:
* jsch-0.1.54-sourcetarget.patch
+ build with source/target levels 8
-------------------------------------------------------------------
Tue Apr 7 13:56:09 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Version 0.1.55
-------------------------------------------------------------------
Tue Apr 7 13:52:31 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* jsch-osgi-manifest.patch
+ create the osgi manifest during the ant build
+ replaces the MANIFEST.MF file
- Miscellaneous clean-up
-------------------------------------------------------------------
Fri Sep 20 13:37:00 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Remove reference to the parent from pom file, since we are not
building with maven
-------------------------------------------------------------------
Fri Sep 8 08:31:01 UTC 2017 - fstrba@suse.com
- Added patch:
* jsch-0.1.54-sourcetarget.patch
- Specify java source and target levels to 1.6, in order to
allow building with jdk9
-------------------------------------------------------------------
Fri Jun 9 10:59:34 UTC 2017 - tchvatal@suse.com
- Build with full java, does not compile with gcj
-------------------------------------------------------------------
Fri May 19 09:59:03 UTC 2017 - dziolkowski@suse.com
- New build dependency: javapackages-local
-------------------------------------------------------------------
Sun Feb 12 21:45:09 UTC 2017 - guoyunhebrave@gmail.com
- Version 0.1.54
-------------------------------------------------------------------
Wed Mar 18 09:46:14 UTC 2015 - tchvatal@suse.com
- Fix build with new javapackages-tools
-------------------------------------------------------------------
Tue Jun 17 15:49:57 UTC 2014 - tchvatal@suse.com
- Version bump to 0.1.51
- Cleanup with spec-cleaner
- Add maven and osgi things same as in Fedora.
-------------------------------------------------------------------
Mon Sep 9 11:06:06 UTC 2013 - tchvatal@suse.com
- Move from jpackage-utils to javapackage-tools
-------------------------------------------------------------------
Mon May 13 06:15:53 UTC 2013 - mvyskocil@suse.com
- update to 0.1.50
* fixes connection errors with "verify: false" when running on
Java 7u6 (and later).
* The OpenSSH config file and the key exchange method
"diffie-hellman-group-exchange-sha256" are now supported
-------------------------------------------------------------------
Tue Oct 16 08:39:25 UTC 2012 - mvyskocil@suse.com
- update to 0.1.49
* Putty's private key files support
* hmax-sha2-256 defined in RFC6668 is supported
* integration with jsch-agent-proxy
* and many bugfixes
-------------------------------------------------------------------
Tue Apr 28 11:23:11 CEST 2009 - mvyskocil@suse.cz
- Initial SUSE packaging of version 0.1.40 (from jpp5)