This is an automated email from the ASF dual-hosted git repository. joewitt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 3399d09c46 NIFI-10923 This closes #6745. Upgraded Apache SSHD to 2.9.2 3399d09c46 is described below commit 3399d09c46f4edbb1bc4cf4c07392887f3aec08c Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Thu Dec 1 12:40:54 2022 -0600 NIFI-10923 This closes #6745. Upgraded Apache SSHD to 2.9.2 Signed-off-by: Joe Witt <joew...@apache.org> --- nifi-nar-bundles/nifi-standard-bundle/pom.xml | 5 +++-- nifi-registry/pom.xml | 12 ++++++++++++ pom.xml | 2 ++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/nifi-nar-bundles/nifi-standard-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-bundle/pom.xml index 87c4a3c610..566bcb79c3 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-standard-bundle/pom.xml @@ -35,6 +35,7 @@ <properties> <yammer.metrics.version>2.2.0</yammer.metrics.version> <jolt.version>0.1.7</jolt.version> + <org.apache.sshd.version>2.9.2</org.apache.sshd.version> </properties> <dependencyManagement> <dependencies> @@ -303,12 +304,12 @@ <dependency> <groupId>org.apache.sshd</groupId> <artifactId>sshd-core</artifactId> - <version>2.8.0</version> + <version>${org.apache.sshd.version}</version> </dependency> <dependency> <groupId>org.apache.sshd</groupId> <artifactId>sshd-sftp</artifactId> - <version>2.8.0</version> + <version>${org.apache.sshd.version}</version> </dependency> <dependency> <groupId>com.google.guava</groupId> diff --git a/nifi-registry/pom.xml b/nifi-registry/pom.xml index 0a6b2e5dcb..66d4399eee 100644 --- a/nifi-registry/pom.xml +++ b/nifi-registry/pom.xml @@ -43,6 +43,7 @@ <groovy.eclipse.compiler.version>3.4.0-01</groovy.eclipse.compiler.version> <jaxb.version>2.3.2</jaxb.version> <jgit.version>5.13.1.202206130422-r</jgit.version> + <org.apache.sshd.version>2.9.2</org.apache.sshd.version> </properties> <dependencyManagement> @@ -241,6 +242,17 @@ </exclusion> </exclusions> </dependency> + <!-- Override transitive SSHD version from JGit --> + <dependency> + <groupId>org.apache.sshd</groupId> + <artifactId>sshd-osgi</artifactId> + <version>${org.apache.sshd.version}</version> + </dependency> + <dependency> + <groupId>org.apache.sshd</groupId> + <artifactId>sshd-sftp</artifactId> + <version>${org.apache.sshd.version}</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/pom.xml b/pom.xml index e710456ee8..14a0b77e1f 100644 --- a/pom.xml +++ b/pom.xml @@ -970,6 +970,8 @@ <exclude>org.bouncycastle:bcpkix-jdk15on</exclude> <exclude>org.bouncycastle:bcutil-jdk15on</exclude> <exclude>org.bouncycastle:bcmail-jdk15on</exclude> + <!-- Exclude SSHD 2.9.1 and earlier due to CVE-2022-45047 --> + <exclude>org.apache.sshd:*:[,2.9.1]</exclude> </excludes> <includes> <!-- Versions of JSR305 after 3.0.1 are allowed https://github.com/findbugsproject/findbugs/issues/128 -->