Community
Participate
Working Groups
Release 0.1.54 contains fix for CVE CVS-2016-5725 (jsch recursive sftp get client-side windows path traversal). See http://www.jcraft.com/jsch/ChangeLog for details. We have to adopt it ASAP to not ship potential exploits.
Sergey, would you please file the CQ . I'll make sure to provide all the needed patches for that.
(In reply to Alexander Kurtakov from comment #1) > Sergey, would you please file the CQ . I'll make sure to provide all the > needed patches for that. Hmm... Can't you file the CQ yourself?
No, only committer on the project can do it.
Can you provide info for the CQ?
So I was wrong. I was able to open one after the cq opening moved to PMI. https://dev.eclipse.org/ipzilla/show_bug.cgi?id=12480
(In reply to Alexander Kurtakov from comment #5) > So I was wrong. I was able to open one after the cq opening moved to PMI. How did you do it? Were you able to choose the project? Because AFAIK the committer tools don't appear if you aren't a committer.
(In reply to Dani Megert from comment #6) > (In reply to Alexander Kurtakov from comment #5) > > So I was wrong. I was able to open one after the cq opening moved to PMI. > > How did you do it? Were you able to choose the project? Because AFAIK the > committer tools don't appear if you aren't a committer. Committer tools were not appearing in the old UI and they are not showing for projects I have no affiliation with in PMI too (e.g. technology.egit). But when going to https://projects.eclipse.org/projects/eclipse.platform.resources/developer I have the committer tools. Maybe this power was granted to PMC members or smth like that after latest updates but I don't have time to investigate it further.
(In reply to Alexander Kurtakov from comment #7) > (In reply to Dani Megert from comment #6) > > (In reply to Alexander Kurtakov from comment #5) > > > So I was wrong. I was able to open one after the cq opening moved to PMI. > > > > How did you do it? Were you able to choose the project? Because AFAIK the > > committer tools don't appear if you aren't a committer. > > Committer tools were not appearing in the old UI and they are not showing > for projects I have no affiliation with in PMI too (e.g. technology.egit). > But when going to > https://projects.eclipse.org/projects/eclipse.platform.resources/developer I > have the committer tools. Maybe this power was granted to PMC members or > smth like that after latest updates but I don't have time to investigate it > further. I think so, because even in the old committer tools PMC members can masquerade for any project under the PMC.
(In reply to Dani Megert from comment #8) > (In reply to Alexander Kurtakov from comment #7) > > (In reply to Dani Megert from comment #6) > > > (In reply to Alexander Kurtakov from comment #5) > > > > So I was wrong. I was able to open one after the cq opening moved to PMI. > > > > > > How did you do it? Were you able to choose the project? Because AFAIK the > > > committer tools don't appear if you aren't a committer. > > > > Committer tools were not appearing in the old UI and they are not showing > > for projects I have no affiliation with in PMI too (e.g. technology.egit). > > But when going to > > https://projects.eclipse.org/projects/eclipse.platform.resources/developer I > > have the committer tools. Maybe this power was granted to PMC members or > > smth like that after latest updates but I don't have time to investigate it > > further. > > I think so, because even in the old committer tools PMC members can > masquerade for any project under the PMC. I know about masquerading but there was nothing like that involved, it was just there for me to use.
The CQ as well as the add-to-orbit are now approved: https://dev.eclipse.org/ipzilla/show_bug.cgi?id=12524
Roland, please let us know when new Orbit I-build with it is ready.
FWIW, I can confirm that I don't have a "Committer Tools" link on https://projects.eclipse.org/projects/eclipse.platform.resources/developer , and https://projects.eclipse.org/projects/eclipse.platform.resources/ipzilla/ajax/add correctly gives a "403 - Access denied" for me (non-committer, non-PMC)
I've promoted I20170117172928 to the Orbit Downloads page (http://download.eclipse.org/tools/orbit/downloads/) under the Integration builds. This should contain com.jcraft.jsch 0.1.54. The download page for I20170117172928 : http://download.eclipse.org/tools/orbit/downloads/drops/I20170117172928/ The p2 repository is : http://download.eclipse.org/tools/orbit/downloads/drops/I20170117172928/repository Note that I will also be creating an S-build by the end of the week as Orbit's contribution to Oxygen M5.
We should also put this into 4.6.3.
New Gerrit change created: https://git.eclipse.org/r/88893
Gerrit change https://git.eclipse.org/r/88893 was merged to [master]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/commit/?id=5aa10477fb09092ae75ad6a6fd4155db73824b90
(In reply to Dani Megert from comment #14) > We should also put this into 4.6.3. Ping!
I would not be able to work on this for 4.6.3. Checked with Roland (Orbit lead) there is no maintenance builds anymore so there are two paths - either move to latest Orbit build if everything needed is there or use two different orbit repos where only latest jsch is referred to from the new one. It would be nice of platform.team committer takes this further and fix it for 4.6.3.
(In reply to Alexander Kurtakov from comment #18) > I would not be able to work on this for 4.6.3. Checked with Roland (Orbit > lead) there is no maintenance builds anymore Do you have a bug report or mailing list where this has been decided? It seems very wrong. This probably needs to be escalated. There will always be bundles that need to be updated in an update release. And up to Neon there were Orbit builds for the maintenance releases, see http://download.eclipse.org/tools/orbit/downloads/
(In reply to Dani Megert from comment #19) > (In reply to Alexander Kurtakov from comment #18) > > I would not be able to work on this for 4.6.3. Checked with Roland (Orbit > > lead) there is no maintenance builds anymore > > Do you have a bug report or mailing list where this has been decided? It > seems very wrong. This probably needs to be escalated. There will always be > bundles that need to be updated in an update release. And up to Neon there > were Orbit builds for the maintenance releases, see > http://download.eclipse.org/tools/orbit/downloads/ No, I don't have such reference. IMHO, we should move towards single stream of development as there is no manpower to handle multiple and we should deliver faster to users. Anyway, I'm adding Roland on CC for more info.
Bug 512103 has been raised to get new cotribution from Orbit with jsch 0.1.54
New Gerrit change created: https://git.eclipse.org/r/90925
Gerrit change https://git.eclipse.org/r/90925 was merged to [R4_6_maintenance]. Commit: http://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/commit/?id=45169814110c04e8a836f0a08fc68c65dedf1740
(In reply to Eclipse Genie from comment #23) > Gerrit change https://git.eclipse.org/r/90925 was merged to > [R4_6_maintenance]. > Commit: > http://git.eclipse.org/c/platform/eclipse.platform.releng.aggregator.git/ > commit/?id=45169814110c04e8a836f0a08fc68c65dedf1740 Workaround has been pushed
I've tested ssh Git and CVS with M20170214-0330 and it worked.
Filed bug 512186 to switch to an R Orbit repo.
Verified in M20170215-0400.
