Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jsch for openSUSE:Factory checked in at 2024-01-14 19:01:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jsch (Old) and /work/SRC/openSUSE:Factory/.jsch.new.21961 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jsch" Sun Jan 14 19:01:16 2024 rev:26 rq:1138302 version:0.2.15 Changes: -------- --- /work/SRC/openSUSE:Factory/jsch/jsch.changes 2023-06-04 16:41:50.165856078 +0200 +++ /work/SRC/openSUSE:Factory/.jsch.new.21961/jsch.changes 2024-01-14 19:01:22.050771044 +0100 @@ -1,0 +2,60 @@ +Wed Dec 20 12:47:08 UTC 2023 - Gus Kenion <gken...@suse.com> + +- Upgrade to version 0.2.15, which includes fix for SSH protocol + vulnerability (bsc#1218134, CVE-2023-48795) + * Changes in 0.2.15: + + Address CVE-2023-48795 by adding support for new strict key + exchange extension + + Add support for ext-info-in-a...@openssh.com extension + + Introduce two new config options to control usage of the new + strict key exchange extension: + ~ enable_strict_kex (set to yes by default) + ~ require_strict_kex (set to no by default) + ~ If either option (or both) is enabled, then JSch will + attempt to use the new strict key exchange extension. + ~ If the require_strict_kex option is enabled and JSch detects + the server does not support it, then JSch will terminate the + connection and throw an exception. + ~ If the require_strict_kex option is not enabled and JSch + detects the server does not support it, then JSch will + fallback and proceed with the connection without using the + new extension. + + This gives users the ability to enable a strong security + posture if needed and avoid proceeding with connections to + potentially insecure servers. + * Changes in 0.2.14: + + #450 use Socket.connect() with a timeout that has been + supported since Java 1.4 instead of using old method of + creating a separate thread and joining to that thread with + timeout + * Changes in 0.2.13: + + #411 Add flush operation from Fix added is/jsch#39, + with new config option to allow disabling in case it causes + regressions. + + #403 add a warning when Channel.getInputStream() or + Channel.getExtInputStream() is called after Channel.connect(). + * Changes in 0.2.12: + + Further refine previous fixes for windows line endings in PEM + keys + + #392 replace call to BigInteger.intValueExact to remain + compatible with android api 30 + + Introduce JSchSessionDisconnectException to allow the + reasonCode to be retrieved without String parsing + + Introduce specific JSchException for HostKey related failures + * Changes in 0.2.11: + + update dependencies changes + + #369 fix multi-line PEM key parsing to work with windows line + endings due to regression from previous fix for #362. + * Changes in 0.2.10: + + Fix new Java 21 compiler warning: possible 'this' escape + before subclass is fully initialized + + Tweak OSGi bundle manifest to allow Log4j 3 + + #362 fix PEM key parsing to work with windows line endings + + #361 guard against UIKeyboardInteractive implementations that + include NULL elements in the String[] returned from + promptKeyboardInteractive() + + Add a default implmentation of the deprecated decrypt() method + to the Identity interface that throws an + UnsupportedOperationException + +------------------------------------------------------------------- Old: ---- jsch-0.2.9.tar.gz New: ---- jsch-0.2.15.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jsch.spec ++++++ --- /var/tmp/diff_new_pack.8VvxDm/_old 2024-01-14 19:01:22.742796254 +0100 +++ /var/tmp/diff_new_pack.8VvxDm/_new 2024-01-14 19:01:22.746796399 +0100 @@ -1,7 +1,7 @@ # # spec file for package jsch # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: jsch -Version: 0.2.9 +Version: 0.2.15 Release: 0 Summary: Pure Java implementation of SSH2 License: BSD-3-Clause @@ -28,7 +28,7 @@ Patch0: jsch-junixsocket.patch Patch1: jsch-log4j.patch BuildRequires: ant -BuildRequires: bouncycastle +BuildRequires: bouncycastle >= 1.77 BuildRequires: fdupes # We need this for module-info.class BuildRequires: java-devel >= 9 ++++++ jsch-0.2.9.tar.gz -> jsch-0.2.15.tar.gz ++++++ ++++ 4973 lines of diff (skipped)
