- Updated to upstrem version 2.14.0

- Changes in version 2.14.0
  * Bug Fixes
    + GH-524 Performance improvements
    + GH-533 Fix multi-step authentication
    + GH-582 Fix filtering in NamedFactory
    + GH-587 Prevent NullPointerExceptionon closed channel in
      NettyIoSession
    + GH-590 Better support for FIPS
    + GH-597 Pass on Charset in
      ClientSession.executeRemoteCommand()
  * New Features
    + New utility methods SftpClient.put(Path localFile, String
      remoteFileName) and SftpClient.put(InputStream in, String
      remoteFileName) facilitate SFTP file uploading.
  * GH-590 Better support for FIPS
    Besides fixing a bug with bc-fips (the RandomGenerator class
    exists in normal Bouncy Castle, but not in the FIPS version,
    but Apache MINA sshd referenced it even if only bc-fips was
    present), support was improved for running in an environment
    restricted by FIPS.
    There is a new system property
    org.apache.sshd.security.fipsEnabled. If set to true, a number
    of crypto-algorithms not approved by FIPS 140 are disabled:
      + key exchange methods sntrup761x25519-sha512,
        sntrup761x25519-sha512@openssh.com, curve25519-sha256,
        curve25519-sha256@libssh.org, curve448-sha512.
      + the chacha20-poly1305 cipher.
      + the bcrypt KDF used in encrypted private key files in
        OpenSSH format.
      + all ed25519 keys and signatures.
    Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar
    (see below) and the EdDSASecurityProviderRegistrar are
    disabled, and the BouncyCastleScurityProviderRegistrar looks
    only for the "BCFIPS" security provider, not for the normal
    "BC" provider.
    If the system property is not set to true, FIPS mode can be
    enabled programmatically by calling SecurityUtils.setFipsMode()
    before any other call to Apache MINA sshd.
  * Potential compatibility issues
    + New security provider registrar
      There is a new SecurityProviderRegistrar that is registered
      by default if there is a SunJCE security provider. It uses
      the AES and HmacSHA* implementations from SunJCE even if
      Bouncy Castle is also registered. SunJCE has native
      implementations, whereas Bouncy Castle may not.
      The new registrar has the name "SunJCEWrapper" and can be
      configured like any other registrar. It can be disabled via
      the system property
      org.apache.sshd.security.provider.SunJCEWrapper.enabled=false.
      It is also disabled in FIPS mode (see above).
    + GH-582 Fix filtering in NamedFactory
      The methods NamedFactory.setupBuiltinFactories(boolean
      ignoreUnsupported, ...) and
      NamedFactory.setupTransformedFactories(boolean
      ignoreUnsupported, ...) had a bug that gave the
      "ignoreUnsupported" parameter actually the meaning of
      "include unsupported".
      This was fixed in this release, but existing code calling
      these or one of the following methods:
        ~ BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
        ~ BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
        ~ ClientBuilder.setUpDefaultCompressionFactories(boolean
          ignoreUnsupported)
        ~ ClientBuilder.setUpDefaultKeyExchanges(boolean
          ignoreUnsupported)
        ~ ClientBuilder.setUpDefaultSignatureFactories(boolean
          ignoreUnsupported)
        ~ ServerBuilder.setUpDefaultCompressionFactories(boolean
          ignoreUnsupported)
        ~ ServerBuilder.setUpDefaultKeyExchanges(boolean
          ignoreUnsupported)
        ~ ServerBuilder.setUpDefaultSignatureFactories(boolean
          ignoreUnsupported)
        ~ any of the methods starting with
          SshConfigFileReader.configure
        ~ SshClientConfigFileReader.configure(...)
        ~ SshServerConfigFileReader.configure(...)
      should be reviewed:
        ~ if the method is called with parameter value true, the
          result will no longer include unsupported algorithms.
          Formerly it wrongly did.
        ~ if the method is called with parameter value false, the
          result may include unsupported algorithms. Formerly it
          did not.
      So if existing code used parameter value false to ensure it
      never got unsupported algorithms, change it to true.
  * Major Code Re-factoring
    + JDK requirements
      ~ GH-536 The project now requires JDK 17 at build time, while
        the target runtime still remains unchanged to support JDK
        8.
- Changes in version 2.13.2
  * What's Changed
    + GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528
- Changes in version 2.13.1
  * What's changed
    + This release does not contain any code changes. It is solely
      to rectify the issue that the 2.13.0 release encountered
      during the release process, where the source jars were not
      created.
- Changes in version 2.13.0
  * What's changed
    + GH-318: Handle cascaded proxy jumps by @tomaswolf in #512
    + GH-427: Read initial ACK on channel open prior to direct
      stream upload & close streams prior to exit code handling by
      @TerraNibble in #464
    + GH-455: ensure BaseCipher.update() fulfills the contract by
      @tomaswolf in #463
    + GH-470: Synchronize not thread safe
      java.security.KeyPairGenerator.generateKe… by
      @zakharovsergey1000 in #467
    + GH-476: Fix Android detection false negative by @wh0
    + GH-475: Switch uses of JSch library to the
      com.github.mwiede:jsch fork by @Alex-Vol-Amz
    + GH-472: change client start condition in sshd-spring-sftp by
      @alwaystom
    + GH-489: sftp readdir: determine file type from longname by
      @tomaswolf in #491
    + GH-486: Add missing U2F {ed25519,ecdsa}-sk public key
      equality methods by @lf-
    + SSHD-1237 Handle keep-alive channel requests by @tomaswolf in
      #492
    + GH-494: Nio2Session improvements by @evgeny-pasynkov
    + GH-468: Handle excess data in SFTP read requests by
      @tomaswolf in #495
    + GH-498: Implement the "sntrup761x25519-sha512@openssh.com"
      KEX method by @tomaswolf
    + GH-500: SftpFileSystemProvider: close SftpClient on exception
      by @tomaswolf in #501
    + GH-504: Pass reason to sessionNegotiationEnd by @duco-lw in
      #505
    + GH-461: Fix heartbeats with wantReply=true by @tomaswolf in
      #507
    + GH-493: Fix arcfour128 and arcfour256 ciphers (regression in
      2.2.0)
    + GH-509: SFTP v[456] client: validate attribute flags
    + GH-510: Fix class name in BuiltinIoServiceFactoryFactories
      (regression in 2.6.0)
  * New Features
    + sntrup761x25519-sha512@openssh.com Key Exchange
      The key exchange method sntrup761x25519-sha512@openssh.com is
      now available if the Bouncy Castle library is available.
      This uses a post-quantum key encapsulation method (KEM) to
      make key exchange future-proof against quantum attacks.
      More information can be found in IETF Memo Secure Shell (SSH)
      Key Exchange Method Using Hybrid Streamlined NTRU Prime
      sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512.
    + Behavioral changes and enhancements
      ~ GH-318 Handle cascaded proxy jumps
        Proxy jumps can be configured via host configuration
        entries in two ways. First, proxies can be chained directly
        by specifiying several proxies in one ProxyJump directive:
          Host target
          Hostname somewhere.example.org
          User some_user
          IdentityFile ~/.ssh/some_id
          ProxyJump jumphost2, jumphost1
          
          Host jumphost1
          Hostname jumphost1@example.org
          User jumphost1_user
          IdentityFile ~/.ssh/id_jumphost1
          Host jumphost2
          Hostname jumphost2@example.org
          User jumphost2_user
          IdentityFile ~/.ssh/id_jumphost2
        Connecting to server target will first connect to
        jumphost1, then tunnel through to jumphost2, and finally
        tunnel to target. So the full connection will be
        client→jumphost1→jumphost2→target.
        Such proxy jump chains were already supported in Apache
        MINA SSHD.
        Newly, Apache MINA SSHD also supports cascading proxy
        jumps, so a configuration like
          Host target
          Hostname somewhere.example.org
          User some_user
          IdentityFile ~/.ssh/some_id
          ProxyJump jumphost2
          Host jumphost1
          Hostname jumphost1@example.org
          User jumphost1_user
          IdentityFile ~/.ssh/id_jumphost1
          Host jumphost2
          Hostname jumphost2@example.org
          ProxyJump jumphost1
          User jumphost2_user
          IdentityFile ~/.ssh/id_jumphost2
        also works now, and produces the same connection
        client→jumphost1→jumphost2→target.
        It is possible to mis-configure such proxy jump cascades to
        have loops. (For instance, if host jumphost1 in the above
        example had a ProxyJump jumphost2 directive.) To catch such
        misconfigurations, Apache MINA SSHD imposes an upper limit
        on the total number of proxy jumps in a connection. An
        exception is thrown if there are more than
        CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a
        connection. The default value of this property is 10. Most
        real uses of proxy jumps will have one or maybe two proxy
        jumps only.
      ~ GH-461 Fix heartbeats with wantReply=true
        The client-side heartbeat mechanism has been updated. Such
        heartbeats are configured via the
        CoreModuleProperties.HEARTBEAT_INTERVAL property. If this
        interval is > 0, heartbeats are sent to the server.
        Previously these heartbeats could also be configured with a
        CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the
        timeout was <= 0, the client would just send heartbeat
        requests without expecting any answers. If the timeout was
        > 0, the client would send requests with a flag indicating
        that the server should reply. The client would then wait
        for the specified duration for the reply and would
        terminate the connection if none was received.
        This mechanism could cause trouble if the timeout was
        fairly long and the server was slow to respond. A timeout
        longer than the interval could also delay subsequent
        heartbeats.
        The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is
        now deprecated.
        There is a new configuration property
        CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It
        defines a limit for the number of heartbeats sent without
        receiving a reply before a session is terminated. If the
        value is <= 0, the client still sends heartbeats without
        expecting any reply. If the value is > 0, the client will
        request a reply from the server for each heartbeat message,
        and it will terminate the connection if the number of
        unanswered heartbeats reaches
        CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX.
        This new way to configure heartbeats aligns with the
        OpenSSH configuration options ServerAliveInterval and
        ServerAliveCountMax.
        For compatibility with older configurations that explicitly
        define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new
        code maps this to the new configuration (but only if
        CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new
        property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has
        not been set) by setting
        CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to
          = CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0:
            CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0
          = otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT /
            CoreModuleProperties.HEARTBEAT_INTERVAL) + 1.
      ~ GH-468 SFTP: validate length of data received: must not be
        more than requested
        SFTP read operations now check the amount of data they get
        back. If it's more than requested an exception is thrown.
        SFTP servers must never return more data than the client
        requested, but it appears that there are some that do so.
        If property SftpModuleProperties.TOLERATE_EXCESS_DATA is
        set to true, a warning is logged and such excess data is
        silently discarded.
  * Potential compatibility issues
    + AES-CBC ciphers removed from server's defaults
      The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc
      have been removed from the default list of cipher algorithms
      that a server proposes in the key exchange. OpenSSH has
      removed these cipher algorithms from the server proposal in
      2014, and has removed them from the client proposal in 2017.
      The cipher implementations still exist but they are not
      enabled by default. Existing code that explicitly sets the
      cipher factories is unaffected. Code that relies on the
      default settings will newly create a server that does not
      support the CBC-mode ciphers. To enable the CBC-mode ciphers,
      one can use for instance
        SshServer server = ServerBuilder.builder()
          ...
          .cipherFactories(BuiltinFactory.setUpFactories(false,
              BaseBuilder.DEFAULT_CIPHERS_PREFERENCES));
          ...
          .build();
      For the SSH client, the CBC ciphers are still enabled by
      default to facilitate connecting to legacy servers. We plan
      to remove the CBC ciphers from the client's defaults in the
      next release.
- Changes in version 2.12.1
  * Bug Fixes
    + GH-458 Singleton thread pool for kex message handler flushing
    + SSHD-1338 Restore binary compatibility with 2.9.2
  * What's Changed
    + Fix link by @swiedenfeld in #454
    + SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet
      in #456
    + Use a singleton threadpool for kex message handler flushing
      by @FliegenKLATSCH in #459
- Enable module: sshd-openpgp

OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=37
This commit is contained in:
Fridrich Strba 2024-10-17 09:29:32 +00:00 committed by Git OBS Bridge
parent 0182ea1cc6
commit 18f684f1c4
4 changed files with 305 additions and 9 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e8198fd90ca8089a71547300a7a8f6e853dd5fea6095a6887f79564849e76bd8
size 1857423

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:148f5bc1c4ac73dc59024392eb45fc76ae32671dd146cf7962c44f255bae925e
size 1888003

View File

@ -1,3 +1,299 @@
-------------------------------------------------------------------
Thu Oct 17 07:53:50 UTC 2024 - Anton Shvetz <shvetz.anton@gmail.com>
- Updated to upstrem version 2.14.0
- Changes in version 2.14.0
* Bug Fixes
+ GH-524 Performance improvements
+ GH-533 Fix multi-step authentication
+ GH-582 Fix filtering in NamedFactory
+ GH-587 Prevent NullPointerExceptionon closed channel in
NettyIoSession
+ GH-590 Better support for FIPS
+ GH-597 Pass on Charset in
ClientSession.executeRemoteCommand()
* New Features
+ New utility methods SftpClient.put(Path localFile, String
remoteFileName) and SftpClient.put(InputStream in, String
remoteFileName) facilitate SFTP file uploading.
* GH-590 Better support for FIPS
Besides fixing a bug with bc-fips (the RandomGenerator class
exists in normal Bouncy Castle, but not in the FIPS version,
but Apache MINA sshd referenced it even if only bc-fips was
present), support was improved for running in an environment
restricted by FIPS.
There is a new system property
org.apache.sshd.security.fipsEnabled. If set to true, a number
of crypto-algorithms not approved by FIPS 140 are disabled:
+ key exchange methods sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com, curve25519-sha256,
curve25519-sha256@libssh.org, curve448-sha512.
+ the chacha20-poly1305 cipher.
+ the bcrypt KDF used in encrypted private key files in
OpenSSH format.
+ all ed25519 keys and signatures.
Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar
(see below) and the EdDSASecurityProviderRegistrar are
disabled, and the BouncyCastleScurityProviderRegistrar looks
only for the "BCFIPS" security provider, not for the normal
"BC" provider.
If the system property is not set to true, FIPS mode can be
enabled programmatically by calling SecurityUtils.setFipsMode()
before any other call to Apache MINA sshd.
* Potential compatibility issues
+ New security provider registrar
There is a new SecurityProviderRegistrar that is registered
by default if there is a SunJCE security provider. It uses
the AES and HmacSHA* implementations from SunJCE even if
Bouncy Castle is also registered. SunJCE has native
implementations, whereas Bouncy Castle may not.
The new registrar has the name "SunJCEWrapper" and can be
configured like any other registrar. It can be disabled via
the system property
org.apache.sshd.security.provider.SunJCEWrapper.enabled=false.
It is also disabled in FIPS mode (see above).
+ GH-582 Fix filtering in NamedFactory
The methods NamedFactory.setupBuiltinFactories(boolean
ignoreUnsupported, ...) and
NamedFactory.setupTransformedFactories(boolean
ignoreUnsupported, ...) had a bug that gave the
"ignoreUnsupported" parameter actually the meaning of
"include unsupported".
This was fixed in this release, but existing code calling
these or one of the following methods:
~ BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
~ BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
~ ClientBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ any of the methods starting with
SshConfigFileReader.configure
~ SshClientConfigFileReader.configure(...)
~ SshServerConfigFileReader.configure(...)
should be reviewed:
~ if the method is called with parameter value true, the
result will no longer include unsupported algorithms.
Formerly it wrongly did.
~ if the method is called with parameter value false, the
result may include unsupported algorithms. Formerly it
did not.
So if existing code used parameter value false to ensure it
never got unsupported algorithms, change it to true.
* Major Code Re-factoring
+ JDK requirements
~ GH-536 The project now requires JDK 17 at build time, while
the target runtime still remains unchanged to support JDK
8.
- Changes in version 2.13.2
* What's Changed
+ GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528
- Changes in version 2.13.1
* What's changed
+ This release does not contain any code changes. It is solely
to rectify the issue that the 2.13.0 release encountered
during the release process, where the source jars were not
created.
- Changes in version 2.13.0
* What's changed
+ GH-318: Handle cascaded proxy jumps by @tomaswolf in #512
+ GH-427: Read initial ACK on channel open prior to direct
stream upload & close streams prior to exit code handling by
@TerraNibble in #464
+ GH-455: ensure BaseCipher.update() fulfills the contract by
@tomaswolf in #463
+ GH-470: Synchronize not thread safe
java.security.KeyPairGenerator.generateKe… by
@zakharovsergey1000 in #467
+ GH-476: Fix Android detection false negative by @wh0
+ GH-475: Switch uses of JSch library to the
com.github.mwiede:jsch fork by @Alex-Vol-Amz
+ GH-472: change client start condition in sshd-spring-sftp by
@alwaystom
+ GH-489: sftp readdir: determine file type from longname by
@tomaswolf in #491
+ GH-486: Add missing U2F {ed25519,ecdsa}-sk public key
equality methods by @lf-
+ SSHD-1237 Handle keep-alive channel requests by @tomaswolf in
#492
+ GH-494: Nio2Session improvements by @evgeny-pasynkov
+ GH-468: Handle excess data in SFTP read requests by
@tomaswolf in #495
+ GH-498: Implement the "sntrup761x25519-sha512@openssh.com"
KEX method by @tomaswolf
+ GH-500: SftpFileSystemProvider: close SftpClient on exception
by @tomaswolf in #501
+ GH-504: Pass reason to sessionNegotiationEnd by @duco-lw in
#505
+ GH-461: Fix heartbeats with wantReply=true by @tomaswolf in
#507
+ GH-493: Fix arcfour128 and arcfour256 ciphers (regression in
2.2.0)
+ GH-509: SFTP v[456] client: validate attribute flags
+ GH-510: Fix class name in BuiltinIoServiceFactoryFactories
(regression in 2.6.0)
* New Features
+ sntrup761x25519-sha512@openssh.com Key Exchange
The key exchange method sntrup761x25519-sha512@openssh.com is
now available if the Bouncy Castle library is available.
This uses a post-quantum key encapsulation method (KEM) to
make key exchange future-proof against quantum attacks.
More information can be found in IETF Memo Secure Shell (SSH)
Key Exchange Method Using Hybrid Streamlined NTRU Prime
sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512.
+ Behavioral changes and enhancements
~ GH-318 Handle cascaded proxy jumps
Proxy jumps can be configured via host configuration
entries in two ways. First, proxies can be chained directly
by specifiying several proxies in one ProxyJump directive:
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2, jumphost1
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
Connecting to server target will first connect to
jumphost1, then tunnel through to jumphost2, and finally
tunnel to target. So the full connection will be
client→jumphost1→jumphost2→target.
Such proxy jump chains were already supported in Apache
MINA SSHD.
Newly, Apache MINA SSHD also supports cascading proxy
jumps, so a configuration like
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
ProxyJump jumphost1
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
also works now, and produces the same connection
client→jumphost1→jumphost2→target.
It is possible to mis-configure such proxy jump cascades to
have loops. (For instance, if host jumphost1 in the above
example had a ProxyJump jumphost2 directive.) To catch such
misconfigurations, Apache MINA SSHD imposes an upper limit
on the total number of proxy jumps in a connection. An
exception is thrown if there are more than
CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a
connection. The default value of this property is 10. Most
real uses of proxy jumps will have one or maybe two proxy
jumps only.
~ GH-461 Fix heartbeats with wantReply=true
The client-side heartbeat mechanism has been updated. Such
heartbeats are configured via the
CoreModuleProperties.HEARTBEAT_INTERVAL property. If this
interval is > 0, heartbeats are sent to the server.
Previously these heartbeats could also be configured with a
CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the
timeout was <= 0, the client would just send heartbeat
requests without expecting any answers. If the timeout was
> 0, the client would send requests with a flag indicating
that the server should reply. The client would then wait
for the specified duration for the reply and would
terminate the connection if none was received.
This mechanism could cause trouble if the timeout was
fairly long and the server was slow to respond. A timeout
longer than the interval could also delay subsequent
heartbeats.
The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is
now deprecated.
There is a new configuration property
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It
defines a limit for the number of heartbeats sent without
receiving a reply before a session is terminated. If the
value is <= 0, the client still sends heartbeats without
expecting any reply. If the value is > 0, the client will
request a reply from the server for each heartbeat message,
and it will terminate the connection if the number of
unanswered heartbeats reaches
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX.
This new way to configure heartbeats aligns with the
OpenSSH configuration options ServerAliveInterval and
ServerAliveCountMax.
For compatibility with older configurations that explicitly
define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new
code maps this to the new configuration (but only if
CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new
property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has
not been set) by setting
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to
= CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0:
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0
= otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT /
CoreModuleProperties.HEARTBEAT_INTERVAL) + 1.
~ GH-468 SFTP: validate length of data received: must not be
more than requested
SFTP read operations now check the amount of data they get
back. If it's more than requested an exception is thrown.
SFTP servers must never return more data than the client
requested, but it appears that there are some that do so.
If property SftpModuleProperties.TOLERATE_EXCESS_DATA is
set to true, a warning is logged and such excess data is
silently discarded.
* Potential compatibility issues
+ AES-CBC ciphers removed from server's defaults
The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc
have been removed from the default list of cipher algorithms
that a server proposes in the key exchange. OpenSSH has
removed these cipher algorithms from the server proposal in
2014, and has removed them from the client proposal in 2017.
The cipher implementations still exist but they are not
enabled by default. Existing code that explicitly sets the
cipher factories is unaffected. Code that relies on the
default settings will newly create a server that does not
support the CBC-mode ciphers. To enable the CBC-mode ciphers,
one can use for instance
SshServer server = ServerBuilder.builder()
...
.cipherFactories(BuiltinFactory.setUpFactories(false,
BaseBuilder.DEFAULT_CIPHERS_PREFERENCES));
...
.build();
For the SSH client, the CBC ciphers are still enabled by
default to facilitate connecting to legacy servers. We plan
to remove the CBC ciphers from the client's defaults in the
next release.
- Changes in version 2.12.1
* Bug Fixes
+ GH-458 Singleton thread pool for kex message handler flushing
+ SSHD-1338 Restore binary compatibility with 2.9.2
* What's Changed
+ Fix link by @swiedenfeld in #454
+ SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet
in #456
+ Use a singleton threadpool for kex message handler flushing
by @FliegenKLATSCH in #459
- Enable module: sshd-openpgp
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba <fstrba@suse.com> Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba <fstrba@suse.com>

View File

@ -23,7 +23,7 @@
%bcond_with extras %bcond_with extras
%endif %endif
%global homedir %{_datadir}/apache-sshd %global homedir %{_datadir}/apache-sshd
Version: 2.12.0 Version: 2.14.0
Release: 0 Release: 0
Summary: Apache SSHD Summary: Apache SSHD
# One file has ISC licensing: # One file has ISC licensing:
@ -128,6 +128,7 @@ This package provides %{name}.
%pom_remove_dep :testcontainers-bom sshd-sftp sshd-core %pom_remove_dep :testcontainers-bom sshd-sftp sshd-core
# We don't have dependencies for these modules # We don't have dependencies for these modules
%pom_disable_module sshd-benchmarks
%pom_disable_module sshd-mina %pom_disable_module sshd-mina
%pom_remove_dep -r org.apache.sshd:sshd-mina %pom_remove_dep -r org.apache.sshd:sshd-mina
%pom_disable_module sshd-spring-sftp %pom_disable_module sshd-spring-sftp
@ -144,6 +145,7 @@ This package provides %{name}.
%pom_disable_module sshd-scp %pom_disable_module sshd-scp
%pom_disable_module sshd-sftp %pom_disable_module sshd-sftp
%else %else
%pom_disable_module sshd-openpgp
%pom_disable_module sshd-netty %pom_disable_module sshd-netty
%pom_disable_module sshd-ldap %pom_disable_module sshd-ldap
%pom_disable_module sshd-git %pom_disable_module sshd-git
@ -155,19 +157,17 @@ This package provides %{name}.
# Disable plugins we don't need for RPM builds # Disable plugins we don't need for RPM builds
%pom_remove_plugin :apache-rat-plugin %pom_remove_plugin :apache-rat-plugin
%pom_remove_plugin :gmavenplus-plugin
%pom_remove_plugin :maven-checkstyle-plugin %pom_remove_plugin :maven-checkstyle-plugin
%pom_remove_plugin :maven-enforcer-plugin %pom_remove_plugin :maven-enforcer-plugin
%pom_remove_plugin :maven-pmd-plugin %pom_remove_plugin :maven-pmd-plugin
%pom_remove_plugin :animal-sniffer-maven-plugin
%pom_remove_plugin :impsort-maven-plugin %pom_remove_plugin :impsort-maven-plugin
%pom_remove_plugin :maven-clean-plugin %pom_remove_plugin :maven-clean-plugin
%pom_remove_plugin :formatter-maven-plugin . sshd-core %pom_remove_plugin :formatter-maven-plugin . sshd-core
# We only need the unix-bin execution # We only need the unix-bin execution
%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='unix-src']]" assembly %pom_xpath_remove "pom:executions/pom:execution[pom:id='unix-src']" assembly
%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-bin']]" assembly %pom_xpath_remove "pom:executions/pom:execution[pom:id='windows-bin']" assembly
%pom_xpath_remove "pom:executions/pom:execution[pom:id[text()='windows-src']]" assembly %pom_xpath_remove "pom:executions/pom:execution[pom:id='windows-src']" assembly
# Suppress generation of uses clauses # Suppress generation of uses clauses
%pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true</_nouses>" . %pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true</_nouses>" .