tomaswolf commented on issue #812: URL: https://github.com/apache/mina-sshd/issues/812#issuecomment-3267522724
While it may be good that somebody did this, this new 0.3.1 artifact has a broken MANIFEST.MF. This won't work in OSGi environments at all. Actually, the vulnerability can be fixed outside of that library by simply doing that check on the last 32 bytes of the signature oneself. (And the check can be done on the byte array directly, no need for BigInteger at all.) I think we should do so in our SignatureEd25519 in any case. The dependency on sun.security is only in test code; it can be worked around if needed (in OSGi). We did so for a while in JGit by actually providing an empty package for the one eddsa 0.3.0 falsely requires. (And before that Eclipse Orbit actually re-packaged the 0.3.0 artifact and re-signed it, and simply omitted that Import-Package for sun.security.x509.) As for switching to a new bundle: anyone can do that without any changes in Apache MINA SSHD already. Our compile-time dependency on the 0.3.0 artifact is only an _optional_ runtime dependency. Our OSGi manifests reference it only via package name (and also as optional requirements), and the 0.3.1 artifact keeps the same package name. So you could use Apache MINA SSHD and include in your application this new 0.3.1. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
