Upgrade jsch from 0.1.52 to 0.1.55 to fix CVE-2016-5725 #281
Conversation
|
|
Dilli-Babu-Godari
force-pushed
the
CVE_OSS_Jsch
branch
4 times, most recently
from
4ddfaef to
73684e1
Compare
|
I could pull this locally and build & run tests. We need to have a release pipeline to publish updated artifacts. If we cannot dig through history to figure out how we did releases, I do have a branch which uses a more up-to-date gradle that I think we should switch to for releases |
Dilli-Babu-Godari
force-pushed
the
CVE_OSS_Jsch
branch
from
73684e1 to
77d3f07
Compare
For Reference: Dilli-Babu-Godari#2 
I tried adding build scripts on GitHub following this PR: https://github.com/prestodb/airlift/pull/77/files in my forked repository, as suggested by Tim Meehan. However, I'm encountering a build failure. The build is failing at the signingArchives task for the Java 8 build, and I'm currently investigating the issue. 
I also noticed a lot of warnings while using Java 8, and during the Java 11 compilation, it failed at the 'compileJava' task with a couple of errors. 
If you have any insights on this, please let me know.
|
Dilli-Babu-Godari
force-pushed
the
CVE_OSS_Jsch
branch
from
77d3f07 to
42852f7
Compare
|
@Dilli-Babu-Godari for both CI in the matrix you should set |
|
Also regarding the Java 11 compatibility. I don't think we need to compile to Java 11 bytecode. We probably just need it to compile to java 8 and for the tests to pass if executed with Java 11. The gradle build may need to be updated for that, but I'm not sure. |
I will try and check with Java 8 for now. |
@ZacBlanco I've implemented the changes based on your feedback and have raised a separate PR for them. You can find the PR here: #282. Could you please take a look when you have a moment? |
|
@Dilli-Babu-Godari can you force-push again to this branch to trigger the new GH action |
Dilli-Babu-Godari
force-pushed
the
CVE_OSS_Jsch
branch
2 times, most recently
from
49398ad to
3ee9480
Compare
I've rebased with master and force-pushed the changes to the branch. Everything is working as expected, and the check has successfully passed. |
.gitignore
Outdated
| @@ -1,6 +1,6 @@ | |||
| # Build files | |||
| .gradle/ | |||
| gradle.properties | |||
| !gradle.properties | |||
There was a problem hiding this comment.
looks like this got added in again, please remove
There was a problem hiding this comment.
Removed this. Could you please merge the change if everything looks fine ?
Upgrading the jsch library from version 0.1.52 to 0.1.55 addresses CVE-2016-5725, which is a directory traversal vulnerability in JCraft JSch before version 0.1.54. This vulnerability allowed remote SFTP servers to write to arbitrary files on Windows when using ChannelSftp.OVERWRITE mode, via a ..\ (dot dot backslash) in a recursive GET command.
Dilli-Babu-Godari
force-pushed
the
CVE_OSS_Jsch
branch
from
3ee9480 to
95ca2c5
Compare
|
I don't have permissions. @tdcmeehan should be able to merge this |
Description
Upgrade jsch from 0.1.52 to 0.1.55 to fix CVE-2016-5725
Upgrading the jsch library from version 0.1.52 to 0.1.55 addresses CVE-2016-5725, which is a directory traversal vulnerability in JCraft JSch before version 0.1.54. This vulnerability allowed remote SFTP servers to write to arbitrary files on Windows when using ChannelSftp.OVERWRITE mode, via a ..\ (dot dot backslash) in a recursive GET command.
Build Successful.
