Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-5538

Upgrade Apache MINA SSHD to 2.7.0 (fixes CVE-2021-30129), JGit to compatible version

    XMLWordPrintable

Details

    • Component Upgrade
    • Resolution: Done
    • Major
    • 17.0.0.Final
    • None
    • Management, Security
    • None
    • Undefined

    Description

      Pick up the fix to https://nvd.nist.gov/vuln/detail/CVE-2021-30129

      I haven't carefully looked at the CVE but at a glance it doesn't sound particularly relevant to WildFly's use of MINA SSHD. But it's High Severity in general so it's good to eliminate component versions with such things.

      Unfortunately local testing shows a simple update fails because our JGit integration is not compatible. We need a JGit release with https://bugs.eclipse.org/bugs/show_bug.cgi?id=574220 fixed.

      I don't know if Elytron testing or testing of the upgrade in full WF would show other issues.

      Changes in 2.7.0: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310849&version=12349400

      Attachments

        Issue Links

          is cloned by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-22493 (7.4.z) Upgrade Apache MINA SSHD from 2.4.0.redhat-00001 to 2.7.0.redhat-00001 (fixes CVE-2021-30129)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-22494 (7.4.z) Upgrade eclipse jgit from 5.10.0.202012080955-r-redhat-00001 to 5.13.0.202109080827-r-redhat-00001

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-15196 Request to update org.apache.sshd:sshd-* to 2.7.0 to eliminate CVE-2021-30129

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-2200 Update org.apache.sshd:sshd-common:2.3.0 to 2.7.0 to eliminate CVE-2021-30129

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              ehugonne1@redhat.com Emmanuel Hugonnet
              bstansbe@redhat.com Brian Stansberry
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: