Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5538

Upgrade Apache MINA SSHD to 2.7.0 (fixes CVE-2021-30129), JGit to compatible version


    • Icon: Component Upgrade Component Upgrade
    • Resolution: Done
    • Icon: Major Major
    • 17.0.0.Final
    • None
    • Management, Security
    • None
    • Undefined

      Pick up the fix to https://nvd.nist.gov/vuln/detail/CVE-2021-30129

      I haven't carefully looked at the CVE but at a glance it doesn't sound particularly relevant to WildFly's use of MINA SSHD. But it's High Severity in general so it's good to eliminate component versions with such things.

      Unfortunately local testing shows a simple update fails because our JGit integration is not compatible. We need a JGit release with https://bugs.eclipse.org/bugs/show_bug.cgi?id=574220 fixed.

      I don't know if Elytron testing or testing of the upgrade in full WF would show other issues.

      Changes in 2.7.0: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310849&version=12349400

            ehugonne1@redhat.com Emmanuel Hugonnet
            bstansbe@redhat.com Brian Stansberry
            0 Vote for this issue
            5 Start watching this issue