582483 – Bump apache-sshd-version to 2.10.0 in 5.13.x

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 582483 - Bump apache-sshd-version to 2.10.0 in 5.13.x

Summary: Bump apache-sshd-version to 2.10.0 in 5.13.x

Status:	NEW

Alias:	None

Product:	JGit
Classification:	Technology
Component:	JGit (show other bugs)
Version:	5.13.1
Hardware:	PC Windows 10

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-28 04:25 EDT by Michael Petritsch
Modified:	2023-09-28 17:27 EDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Petritsch

2023-09-28 04:25:57 EDT

Since some SCA tools report the CVE-2023-35887 in Apache MINA SSHD before 2.10.0 and some projects still need to support java 8 and therefore cannot upgrade to 6.x, can we also bump the apache-sshd-version in 5.13.x to 2.10.0 just like in 6.x?

Comment 1 Thomas Wolf

2023-09-28 17:27:41 EDT

IMO not worth the trouble. The CVE is about the server-side SFTP part of Apache MINA sshd, which is not used by JGit.