Skip to content

Bump sshd-core from 2.7.0 to 2.8.0 #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump sshd-core from 2.7.0 to 2.8.0 #2

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 26, 2022

Bumps sshd-core from 2.7.0 to 2.8.0.

Changelog

Sourced from sshd-core's changelog.

Version 2.6.0 to 2.7.0

Version 2.7.0 to 2.8.0

Planned for next version

Major code re-factoring

Potential compatibility issues

Changes that may affect existing code

A new SFTP configuration property has been introduced that limits the maximum amount of data that can be sent in a single SSH_FXP_WRITE packet - default=256KB

    /**
     * Force the use of a max. packet length for {@link AbstractSftpSubsystemHelper#doWrite(Buffer, int)} protection
     * against malicious packets
     */
    public static final Property<Integer> MAX_WRITE_DATA_PACKET_LENGTH
            = Property.integer("sftp-max-writedata-packet-length", 256 * 1024);

This might cause SFTP write failures for clients that might have sent larger buffers and they have been accepted so far. If this happens, simply increase this value (though the choice of 256KB should be compatible with the vast majority of clients).

SSH channel identifiers have been changed to use long instead of int in order to align them with the standard that required them to be UINT32 values.

The relevant API(s) have been modified accordingly - which may cause a few incompatibility issues with code that extends/implements existing Channel classes and interfaces. In this context, the Channel interface now extends ChannelIdentifier where getId() has been renamed to getChannelId()

long used instead of int in most encoded/decoded packets that are specified as being UINT32

There are several exceptions to this rule:

  • The SFTP packet id field - an "opaque" value anyway, not used for allocation or indexing anyway

  • Various flags and mask field - there is no reason to encapsulate them into a long value since they do not represent a cardinal number of 32 bits

  • Various status code fields - ditto.

  • Cases where the value serves as argument for allocation of other data structures based on its value - e.g., arrays, lists. This was done for convenience reasons since Java does not support unsigned array/list sizes. In such cases, special validation code was applied to make sure the requested value does not exceed Integer#MAX_VALUE (sometimes even less) in order to protect the code from malicious or malformed packets. It is important to bear in mind that in the vast majority of the cases we do not want to be able to allocate arrays or lists having billions of elements as it would almost definitely cause out-of-memory issues.

User HOME directory resolution and usage have been moved to PathUtils

Was originally in HostConfigEntry.

... (truncated)

Commits
  • c3d18fb [maven-release-plugin] prepare release sshd-2.8.0
  • 80e57cf Fix notice year, update plugins
  • f8069c6 [SSHD-1230] Log netty channel traffic on TRACE level
  • c80b88f Fix Buffer.putRawPublicKey() for hardware keys
  • 067e734 SFTP: support file timestamps with sub-millisecond resolution
  • c7d83d0 Fix creationTime in SftpHelper#writeAttrsV4
  • 0fbecc2 Fix compile error
  • b45c719 Upgraded Checkstyle checker version to 9.1
  • 281add8 Upgraded OWASP plugin version to 6.5.0
  • 3e2d7e0 Upgraded jpgpj version to 1.2
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump sshd-core from 2.7.0 to 2.8.0
efe1087 
Bumps [sshd-core](https://github.com/apache/mina-sshd) from 2.7.0 to 2.8.0.
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.7.0...sshd-2.8.0)

---
updated-dependencies:
- dependency-name: org.apache.sshd:sshd-core
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Feb 26, 2022
@mamh2021 mamh2021 force-pushed the dependabot/maven/org.apache.sshd-sshd-core-2.8.0 branch from 589a1c8 to efe1087 Compare March 9, 2022 06:03
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Jul 25, 2022

Superseded by #14.

@dependabot dependabot bot closed this Jul 25, 2022
@dependabot dependabot bot deleted the dependabot/maven/org.apache.sshd-sshd-core-2.8.0 branch July 25, 2022 06:19
@mamh2021 mamh2021 restored the dependabot/maven/org.apache.sshd-sshd-core-2.8.0 branch August 7, 2022 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant