pool/jsch
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1138302 from Java:packages

Browse Source 
bsc#1218134, CVE-2023-48795

OBS-URL: https://build.opensuse.org/request/show/1138302
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/jsch?expand=0&rev=26
This commit is contained in:
Ana Guerrero 2024-01-14 18:01:16 +00:00 committed by Git OBS Bridge
commit 74953f3b52
4 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
jsch-0.2.15.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
jsch-0.2.9.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8f7c7437115466c53781be7683aa84237f5d968ac7925997beef8f4311ebaad9
size 382571

60
jsch.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Wed Dec 20 12:47:08 UTC 2023 - Gus Kenion <gkenion@suse.com>
- Upgrade to version 0.2.15, which includes fix for SSH protocol
vulnerability (bsc#1218134, CVE-2023-48795)
* Changes in 0.2.15:
+ Address CVE-2023-48795 by adding support for new strict key
exchange extension
+ Add support for ext-info-in-auth@openssh.com extension
+ Introduce two new config options to control usage of the new
strict key exchange extension:
~ enable_strict_kex (set to yes by default)
~ require_strict_kex (set to no by default)
~ If either option (or both) is enabled, then JSch will
attempt to use the new strict key exchange extension.
~ If the require_strict_kex option is enabled and JSch detects
the server does not support it, then JSch will terminate the
connection and throw an exception.
~ If the require_strict_kex option is not enabled and JSch
detects the server does not support it, then JSch will
fallback and proceed with the connection without using the
new extension.
+ This gives users the ability to enable a strong security
posture if needed and avoid proceeding with connections to
potentially insecure servers.
* Changes in 0.2.14:
+ #450 use Socket.connect() with a timeout that has been
supported since Java 1.4 instead of using old method of
creating a separate thread and joining to that thread with
timeout
* Changes in 0.2.13:
+ #411 Add flush operation from Fix added is/jsch#39,
with new config option to allow disabling in case it causes
regressions.
+ #403 add a warning when Channel.getInputStream() or
Channel.getExtInputStream() is called after Channel.connect().
* Changes in 0.2.12:
+ Further refine previous fixes for windows line endings in PEM
keys
+ #392 replace call to BigInteger.intValueExact to remain
compatible with android api 30
+ Introduce JSchSessionDisconnectException to allow the
reasonCode to be retrieved without String parsing
+ Introduce specific JSchException for HostKey related failures
* Changes in 0.2.11:
+ update dependencies changes
+ #369 fix multi-line PEM key parsing to work with windows line
endings due to regression from previous fix for #362.
* Changes in 0.2.10:
+ Fix new Java 21 compiler warning: possible 'this' escape
before subclass is fully initialized
+ Tweak OSGi bundle manifest to allow Log4j 3
+ #362 fix PEM key parsing to work with windows line endings
+ #361 guard against UIKeyboardInteractive implementations that
include NULL elements in the String[] returned from
promptKeyboardInteractive()
+ Add a default implmentation of the deprecated decrypt() method
to the Identity interface that throws an
UnsupportedOperationException
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Jun 3 11:03:46 UTC 2023 - Fridrich Strba <fstrba@suse.com> Sat Jun 3 11:03:46 UTC 2023 - Fridrich Strba <fstrba@suse.com>

6
jsch.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package jsch # spec file for package jsch
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: jsch Name: jsch
Version: 0.2.9 Version: 0.2.15
Release: 0 Release: 0
Summary: Pure Java implementation of SSH2 Summary: Pure Java implementation of SSH2
License: BSD-3-Clause License: BSD-3-Clause
@ -28,7 +28,7 @@ Source1: %{name}-build.xml
Patch0: jsch-junixsocket.patch Patch0: jsch-junixsocket.patch
Patch1: jsch-log4j.patch Patch1: jsch-log4j.patch
BuildRequires: ant BuildRequires: ant
BuildRequires: bouncycastle BuildRequires: bouncycastle >= 1.77
BuildRequires: fdupes BuildRequires: fdupes
# We need this for module-info.class # We need this for module-info.class
BuildRequires: java-devel >= 9 BuildRequires: java-devel >= 9