This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch support/nifi-1.19 in repository https://gitbox.apache.org/repos/asf/nifi.git
commit 6ed609228514944e121669a8f695ef04d359f956 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Thu Dec 1 12:40:54 2022 -0600 NIFI-10923 This closes #6745. Upgraded Apache SSHD to 2.9.2 Signed-off-by: Joe Witt <joew...@apache.org> --- nifi-nar-bundles/nifi-standard-bundle/pom.xml | 5 +++-- nifi-registry/pom.xml | 12 ++++++++++++ pom.xml | 2 ++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-bundle/pom.xml index 080df69a0a..38cd556d85 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-standard-bundle/pom.xml @@ -35,6 +35,7 @@ <properties> <yammer.metrics.version>2.2.0</yammer.metrics.version> <jolt.version>0.1.7</jolt.version> + <org.apache.sshd.version>2.9.2</org.apache.sshd.version> </properties> <dependencyManagement> <dependencies> @@ -303,12 +304,12 @@ <dependency> <groupId>org.apache.sshd</groupId> <artifactId>sshd-core</artifactId> - <version>2.8.0</version> + <version>${org.apache.sshd.version}</version> </dependency> <dependency> <groupId>org.apache.sshd</groupId> <artifactId>sshd-sftp</artifactId> - <version>2.8.0</version> + <version>${org.apache.sshd.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> diff --git a/nifi-registry/pom.xml b/nifi-registry/pom.xml index e6544b09f1..f53dce0f6c 100644 --- a/nifi-registry/pom.xml +++ b/nifi-registry/pom.xml @@ -43,6 +43,7 @@ <groovy.eclipse.compiler.version>3.4.0-01</groovy.eclipse.compiler.version> <jaxb.version>2.3.2</jaxb.version> <jgit.version>5.13.1.202206130422-r</jgit.version> + <org.apache.sshd.version>2.9.2</org.apache.sshd.version> </properties> <dependencyManagement> @@ -241,6 +242,17 @@ </exclusion> </exclusions> </dependency> + <!-- Override transitive SSHD version from JGit --> + <dependency> + <groupId>org.apache.sshd</groupId> + <artifactId>sshd-osgi</artifactId> + <version>${org.apache.sshd.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sshd</groupId> + <artifactId>sshd-sftp</artifactId> + <version>${org.apache.sshd.version}</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/pom.xml b/pom.xml index dc8edd1bba..733c2bc458 100644 --- a/pom.xml +++ b/pom.xml @@ -970,6 +970,8 @@ <exclude>org.bouncycastle:bcpkix-jdk15on</exclude> <exclude>org.bouncycastle:bcutil-jdk15on</exclude> <exclude>org.bouncycastle:bcmail-jdk15on</exclude> + <!-- Exclude SSHD 2.9.1 and earlier due to CVE-2022-45047 --> + <exclude>org.apache.sshd:*:[,2.9.1]</exclude> </excludes> <includes> <!-- Versions of JSR305 after 3.0.1 are allowed https://github.com/findbugsproject/findbugs/issues/128 -->