)]}' { "log": [ { "commit": "1285419f2f1bef5fad23f001f74d0f07cc469b5b", "tree": "6b905d1666391bcea7456b2efa41e5757f1093bc", "parents": [ "4e820c90bf8251383b8d72dcc3d0b2cbfd91f45f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Apr 24 20:26:23 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Apr 24 23:09:41 2026 +0200" }, "message": "GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader\n\nWhen SFTP file systems are created through the standard Java mechanism\nvia java.nio.file.FileSystems.newFileSystem(URI, Map, Classloader), the\nJDK uses the ServiceLoader to find registered file system providers.\nIt remembers any it can find via the system classloader or via the\nplatform classloader as \"installed providers\" and creates only exactly\none instance of them.\n\nWhen it cannot find a provider matching the URI scheme in the\n\"installed providers\" and a classloader is given, it then tries to\nfind a matching file system provider using that classloader. The\nServiceLoader instantiates each provider it finds to check its scheme\nagainst the URI scheme. But it doesn\u0027t remember these file system\nproviders, so if FileSystems.newFileSystem() is called again, another\ninstance of SftpFileSystemProvider got created.\n\nWhen the returned file system is used, the SftpFileSystemProvider\ncreates an SshClient, and an I/O thread pool is set up. If multiple\nSftpFileSystemProviders get created, there will also be multiple\nSshClients, and multiple thread pools.\n\nAvoid this by registering via the FileSystemProvider SPI only a\nstateless facade class. All instance of this facade class delegate\nto a singleton SftpFileSystemProvider.\n" }, { "commit": "4e820c90bf8251383b8d72dcc3d0b2cbfd91f45f", "tree": "e4d880c2ea4c4b7dcb6a603c521c781d1c719402", "parents": [ "a85a3b1cbaab2d8f4f50e57df1192f4e50960b8f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Apr 20 21:21:44 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Apr 20 21:34:23 2026 +0200" }, "message": "Add test cases to AuthorizedKeysCertificateTest\n\nSee [1]. Apache MINA SSHD never had that problem, but we also had no\ntest for this. So add one just to be sure.\n\n[1] https://bugzilla.mindrot.org/show_bug.cgi?id\u003d3950" }, { "commit": "a85a3b1cbaab2d8f4f50e57df1192f4e50960b8f", "tree": "f93532b08fbfef2c30d2102e23d59c00ac5db032", "parents": [ "6c215e8cfb0fde02ddcc58681f965b9904e11e12" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 13:06:34 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 19:45:30 2026 +0200" }, "message": "Better handling of Putty keys with non-ASCII passphrases\n\nThe encoding of Putty passphrases is not specified, and is not recorded\nin *.ppk file headers. Putty on Windows uses whatever the Windows ANSI\ncode page is. (I suppose that gives trouble if it changes between the\ntime the key is generated and the time it is used.)\n\nSo when trying to decode an encrypted private key from Putty, we may\nneed to try different encodings if the passphrase is not pure ASCII.\n\nChange the code to try first UTF-8, then the native encoding unless\nthat also is UTF-8, and finally ISO-8859-1.\n\nRespect the \"native.encoding\" system property that should be set on\nJava \u003e\u003d 17. See JEP-400.[1]\n\n[1] https://openjdk.org/jeps/400" }, { "commit": "6c215e8cfb0fde02ddcc58681f965b9904e11e12", "tree": "d6c2930a2dd0065a33d4c985fa509a9266f68896", "parents": [ "9def2039a7d98e8d91521d3068b14ba69413e4c5" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 19:45:10 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 19:45:30 2026 +0200" }, "message": "Bump BCFIPS bundles used in a test\n\nbcpkix-fips 2.0.10 -\u003e 2.0.11\nbcutil-fips 2.0.5 -\u003e 2.0.6" }, { "commit": "9def2039a7d98e8d91521d3068b14ba69413e4c5", "tree": "b04ae267b751a0fccd35cee6ce849dc0cb795a57", "parents": [ "a0ef7a567a97c94206378d9e8f8ea0b072bef947" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 18:58:48 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Apr 19 18:59:11 2026 +0200" }, "message": "Fix annotation to ignore an unstable test\n\nUse JUnit 5 @Disabled, not JUnit 4 @Ignore." }, { "commit": "a0ef7a567a97c94206378d9e8f8ea0b072bef947", "tree": "d3e61efd019d1dd3e67e81f3b8156f24fcb90b44", "parents": [ "b11c1594436ed5e11a7a08bfa85a81d7864d555e" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Apr 17 23:40:02 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Apr 18 18:41:26 2026 +0200" }, "message": "Host certificates: check both public keys for not being revoked\n\nIt could be that the certificate is perfectly valid, but the\ncertified host key is listed itself as being revoked." }, { "commit": "b11c1594436ed5e11a7a08bfa85a81d7864d555e", "tree": "49186cd292e5011f0a9317ba52db0461e2234ac0", "parents": [ "de65c121e8910dbe9a01ecb864eb147461a68b9f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Apr 17 22:32:12 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Apr 18 18:41:26 2026 +0200" }, "message": "GH-892: Host certificate principals may contain wildcards\n\nFor host certificates, OpenSSH supports * and ? wildcards. So when\nchecking against the actual hostname, perform a wildcard match." }, { "commit": "de65c121e8910dbe9a01ecb864eb147461a68b9f", "tree": "68d07ad82ea49801aafadcbf871131af9ea05e40", "parents": [ "b450b771fe700766b3bf2d480ea6b20fa2799d41" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Apr 17 20:49:18 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Apr 18 18:41:26 2026 +0200" }, "message": "GH-892: Adapt handling certificates without principals\n\nAlign the handling of certificates without principals with OpenSSH 10.3.\n\nOpenSSH \u003c 10.3 treated this as a wildcard (except for user certificates\nchecked via the TrustedUserCAKeys mechanism) and let such certificates\nmatch any user or host name.\n\nOpenSSH 10.3 changed that and rejects such certificates always since\nthey don\u0027t match any principal.[1]\n\nImplement this. Add a new flag in CoreModuleProperties through which\nclient code can choose what to do with such certificates: allow them\n(and let them match always; as in OpenSSH \u003c 10.3), or forbid them as\nin OpenSSH \u003e\u003d 10.3.\n\nBy default, such certificates without principals are rejected, which is\na change in behavior.\n\n[1] https://www.openssh.org/txt/release-10.3" }, { "commit": "b450b771fe700766b3bf2d480ea6b20fa2799d41", "tree": "b65dee305274809628960d772d96c11863b6e84c", "parents": [ "2f9f053fee11f012f21c2765389e9ba9bb1cd252" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 20:39:32 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 20:39:32 2026 +0200" }, "message": "Bump grpc 1.78.0 -\u003e 1.79.0" }, { "commit": "2f9f053fee11f012f21c2765389e9ba9bb1cd252", "tree": "450e540faf329a73e0b511db90b9162dee69ade2", "parents": [ "6337151c0db3cd6d8162d8d97c8980fbfe558a42" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 20:38:36 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 20:38:36 2026 +0200" }, "message": "Bump build plug-in versions\n\nimpsort 1.12.0 -\u003e 1.13.0\nmaven-archiver 3.6.5 -\u003e 3.6.6\ncommons-io 2.20.0 -\u003e 2.21.0" }, { "commit": "6337151c0db3cd6d8162d8d97c8980fbfe558a42", "tree": "32aa116c71a0bbc73b23747a3e8c66a8539d93db", "parents": [ "a3d2251096b1d63779e04a4deb1a95889aba88a7" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 19:30:58 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Apr 16 19:30:58 2026 +0200" }, "message": "Bump Bouncy Castle 1.83 -\u003e 1.84\n\nReplace deprecated MLKEM classes by their new counterparts." }, { "commit": "a3d2251096b1d63779e04a4deb1a95889aba88a7", "tree": "eed65c8953a89b6c11bf21ad10a263aeab509098", "parents": [ "22c94b3dc09c4b568207a31a56fc9e4d3ca36b4e" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Mar 14 18:17:31 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Mar 14 18:17:31 2026 +0100" }, "message": "Bump netty 4.2.0.Final to 4.2.10.Final" }, { "commit": "22c94b3dc09c4b568207a31a56fc9e4d3ca36b4e", "tree": "4db0aaf14c0c46309930b8496f1a242081ce174b", "parents": [ "07cfbba3fc0a96476eaa19bd22cac4d6c67ff9fc" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Mar 14 11:54:49 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Mar 14 13:03:12 2026 +0100" }, "message": "Bump dependencies\n\n* org.apache:apache 36 -\u003e 37\n* org.codehaus.plexus:plexus-archiver 4.10.3 -\u003e 4.11.0\n* org.owasp:dependency-check-maven 12.1.8 -\u003e 12.2.0\n* io.grpc:* 1.76.0 -\u003e 1.78.0\n* net.sourceforge.pmd:pmd-core 7.20.0 -\u003e 7.22.0\n* org.assertj:assertj-core 3.27.6 -\u003e 3.27.7" }, { "commit": "07cfbba3fc0a96476eaa19bd22cac4d6c67ff9fc", "tree": "74488f93e167696c0240b533413f076c49f377ac", "parents": [ "160f911b697403e0d430873686c2cf04302a8627" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Mar 13 09:59:38 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Mar 13 09:59:38 2026 +0100" }, "message": "[releng] Fix maven wrapper\n\nUsing dlcdn.apache.org as URL wasn\u0027t a good idea; it carries only the\nlatest 3.8.x and 3.9.x versions. repo.maven.apache.org keeps all\nversions, so use that." }, { "commit": "160f911b697403e0d430873686c2cf04302a8627", "tree": "f7efa29d04f01a9879df6cadab9ff3c355bf1900", "parents": [ "1783572cf8104e6ceb077d7847017c482d0c0caf" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Mar 08 23:43:00 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Mar 12 21:58:47 2026 +0100" }, "message": "Ignore flaky ServerTest.serverIdleTimoutWithForce()\n\nThis test was incorrect since the channel windowing was fixed in commit\n0c8f9b22 in 2022. It\u0027s actually surprising that the test \"worked\"\nsomehow for so long, but lately it\u0027s been failing more often, in\nparticular on faster machines.\n\nThe basic problem is that since the channel window fix,\nAbstcractClientChannel would call LocalWindow.release() when data was\nwritten from the channel to the externally provided OutputStream. This\nwould then send back a window adjustment to the server, and hence the\nserver\u0027s RemoteWindow would not stay at zero. Apparently the test still\nsucceeded most of the time (probably because of the very low sleep of\n1ms in its busy-waiting loop waiting for the window to drop to zero),\nbut it may not have tested what it wanted to test.\n\nThe solution is to simply not provide an external OutputStream to\nthe channel. Then the channel sets up its own stream, and calls\nLocalWindow.release() only once the data is really read from\ninvertedOut. That way, the window really drops to zero, and the server\nwill not get window adjustments.\n\nDespite this seemingly logical fix the test still was flaky. So ignore\nit for now.\n\nNote that the test claims to test \"full TCP/IP buffers\", but it actually\ndoesn\u0027t. It just tests that an idle timeout is effective and can close\nthe session even when the local window is fully used up." }, { "commit": "1783572cf8104e6ceb077d7847017c482d0c0caf", "tree": "e93f752b0d562d058325c2ae06debed938f3b26a", "parents": [ "6b4a81d6f36ad037a8e8824b87081cbc886fa4ed" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Mar 08 21:49:00 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Mar 12 21:58:46 2026 +0100" }, "message": "GH-879: close channel gracefully in TCP/IP forwarding\n\nWhen an exception occurs on the forwarding socket, close the SSH channel\ngracefully." }, { "commit": "6b4a81d6f36ad037a8e8824b87081cbc886fa4ed", "tree": "f97c49f7a922328bc25089a5a5f988556bf2af0d", "parents": [ "03df24689c7045b7965b3a41039f5d4492c210ec" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 20:40:43 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 20:44:29 2026 +0100" }, "message": "[maven-release-plugin] prepare for next development iteration\n" }, { "commit": "03df24689c7045b7965b3a41039f5d4492c210ec", "tree": "fd70e83969ebe56141452dd07cc6921ba5ebac66", "parents": [ "e661b4a5268cd33877f7b1b2ad75df226ff7b244" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 20:40:42 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 20:40:42 2026 +0100" }, "message": "[maven-release-plugin] prepare release sshd-2.17.1\n" }, { "commit": "e661b4a5268cd33877f7b1b2ad75df226ff7b244", "tree": "9bf1da22144ba1762d0fc95b306ed2035d42ce6f", "parents": [ "42d2c7de7352d79d8743328c426d88bd71fc631a" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 17:20:46 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 22 18:54:07 2026 +0100" }, "message": "GH-875: Update Apache Parent POM\n\nFrom version 35 to 36." }, { "commit": "42d2c7de7352d79d8743328c426d88bd71fc631a", "tree": "e136bc257fb59a42aa7451fc9261076d5cd108e0", "parents": [ "9308c1e1097307e148d6f242871ac0b659ae2fcf" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Jan 13 22:05:32 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Jan 13 22:05:32 2026 +0100" }, "message": "[maven-release-plugin] prepare for next development iteration\n" }, { "commit": "9308c1e1097307e148d6f242871ac0b659ae2fcf", "tree": "ddede1ff5ca64132960402a0efe11f30353dd03d", "parents": [ "5f6bef614e3ac0341a959593055908a02a88a98f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Jan 13 22:05:31 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Jan 13 22:05:31 2026 +0100" }, "message": "[maven-release-plugin] prepare release sshd-2.17.0\n" }, { "commit": "5f6bef614e3ac0341a959593055908a02a88a98f", "tree": "340f6ff4f9f285298333873c9c2156dcfe703845", "parents": [ "5ee81f47e148649131c91127f29ff2dc26cb61f7" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Jan 07 22:20:58 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 22:06:39 2026 +0100" }, "message": "Prepare documentation for a 2.17.0 release" }, { "commit": "5ee81f47e148649131c91127f29ff2dc26cb61f7", "tree": "a2e92f98157866d1a12652d30f7057975724a424", "parents": [ "b6848c041d8eff1f6c1369df1a0940c005535d23" ], "author": { "name": "Denys Horman", "email": "denys.horman@pm.me", "time": "Sun Jan 11 18:29:04 2026 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 21:38:07 2026 +0100" }, "message": "Fix duplicate character echoing in ProcessShell\n\n- Remove redundant manual ECHO handling in TtyFilterOutputStream\n- Update ProcessShell to stop passing the echo stream to TtyFilterOutputStream\n- Update TtyFilterOutputStream constructors to remove the unused echo parameter\n- Update tests to match the new TtyFilterOutputStream API\n\nThis fix prevents characters from being duplicated in interactive shell sessions\nwhere the underlying shell process already handles echoing.\n" }, { "commit": "b6848c041d8eff1f6c1369df1a0940c005535d23", "tree": "7abc74a9cd185581ab3d0cd2b4d70c87a75c70b3", "parents": [ "d839c952016ef69bbf4834a0c721282498dfb6d9" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 17:21:27 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 17:21:27 2026 +0100" }, "message": "Mock git configuration in git-related tests\n\nWe do not want to pick up any real config of the user running the tests!\nSuch configs may contain settings that break our tests.\n\nAlso mock the home directory for JGit, and hide some environment\nvariables that could potentially affect JGit adversely if set." }, { "commit": "d839c952016ef69bbf4834a0c721282498dfb6d9", "tree": "e96f60587bf6c72bedd8ab20b6693f3d1d023e30", "parents": [ "7a7f2bb9b1d65d0a95636ab18f5b2a1f4e31240e" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 15:12:40 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 17:20:14 2026 +0100" }, "message": "Bump JUnit 5 to latest patch version\n\norg.junit.jupiter 5.14.0 -\u003e 5.14.2\n" }, { "commit": "7a7f2bb9b1d65d0a95636ab18f5b2a1f4e31240e", "tree": "975a607d1cbcc2b599e3291f2f7aa5b67886ab54", "parents": [ "7b397c7e5c76a88028742583c20268b1c3d215fa" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:12 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 15:08:52 2026 +0100" }, "message": "CoreTestSupportUtils: fix test framework\n\nIt makes no sense to install unsupported key exchange factories. This\nmakes CipherTest fail on Java 25 when run as part of the sshd-mina (and\nprobably also sshd-netty) tests, which do not include BouncyCastle.\n\nWithout BC, MLKEM is not supported with 2.17.0, but the test uses JSch\nas client, which will propose MLKEM when run on Java 25. If the server\nincludes the unsupported MLKEM KEX in its proposal, this will get\nselected and then cause a NoClassDefFoundError exception later in the\nApache MINA SSHD test server, making the test fail.\n\nOn Java 21, JSch does not propose MLKEM, so the test worked because the\nunsupported KEX algorithm was not selected (curve-25519-sha256 is used\ninstead).\n\nSimply don\u0027t ever install unsupported KEX algorithms." }, { "commit": "7b397c7e5c76a88028742583c20268b1c3d215fa", "tree": "e95b27e099042c03a1fcad9e462a3600addd4891", "parents": [ "164385cf65774f51ab1dedbc9bf01399592e375d" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 10 21:32:31 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:55 2026 +0100" }, "message": "[releng] Build with Java 25 in CI\n\nAlso use the maven wrapper instead of setting up maven via a Github\naction." }, { "commit": "164385cf65774f51ab1dedbc9bf01399592e375d", "tree": "c2f7754f9475cceb2dee6455e161293b941c9be3", "parents": [ "2e58cb522e9517d05b3d59c69b9a883a95aec996" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 10 21:45:44 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:55 2026 +0100" }, "message": "[releng] Bump dependencies\n\nBouncy Castle 1.82 -\u003e 1.83\nJsch 2.27.4 -\u003e 2.27.7\n" }, { "commit": "2e58cb522e9517d05b3d59c69b9a883a95aec996", "tree": "837bb03b6745a406068034b830f6572e0bc5d37a", "parents": [ "8adfae90e9a3f3c835191f60bc0803c7b662f64c" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 10 21:34:16 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:54 2026 +0100" }, "message": "[releng] Require Maven 3.9.12\n\nTo be able to build with Java 25." }, { "commit": "8adfae90e9a3f3c835191f60bc0803c7b662f64c", "tree": "e6b48a7cb809b0968a476d10a02d932a276350b9", "parents": [ "96a84b5631648c8c758ad160a8e85caf25a04afe" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Jan 07 22:48:47 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:54 2026 +0100" }, "message": "[releng] Release preparation\n\nMake sure that the maven-source-plugin uses a modern commons-io.\nSomehow it picks up 2.11.0, which is way too old. Force 2.20.0.\n\nSet deployAtEnd\u003dtrue to avoid that anything is pushed to the deployment\nrepository if something goes wrong when building a release.\n\nThis is a partial back-port of commit aa9c94bb." }, { "commit": "96a84b5631648c8c758ad160a8e85caf25a04afe", "tree": "f24c0f9734383a98cc8e3c13b0a21b9c1f014eab", "parents": [ "5c0a7b84282ccea805897f3eaab887f3c31bb487" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 10 15:01:56 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 11 14:56:53 2026 +0100" }, "message": "Fix namespace declarations in POMs\n\nThey were broken since commit 308dd868. XML namespaces have names that\nlook like URLs, but for historical reasons start with \"http\". Some of\nthese were changed to \"https\" by mistake, which breaks strict XML\nvalidation and causes errors to show up in Eclipse when the POM is\nopened.\n\nCorrect this such that namespace names always have \"http\", but XSD\nlocations have \"https\" URLs." }, { "commit": "5c0a7b84282ccea805897f3eaab887f3c31bb487", "tree": "84c0a1fed0c1759a4e06198980093ba6e5f2a2a0", "parents": [ "c66429a4b2269ec6cfcd8a632e7d124dce655411" ], "author": { "name": "Gary Gregory", "email": "garydgregory@gmail.com", "time": "Sun Jan 11 07:03:01 2026 -0500" }, "committer": { "name": "Gary Gregory", "email": "garydgregory@gmail.com", "time": "Sun Jan 11 07:03:01 2026 -0500" }, "message": "[SSHD-1349] On Java 26-ea, PMD 7.17.0 throws StackOverflowError, update\nto PMD 7.20.0\n\n- Tested `mvn clean package pmd:check -DskipTetsts\u0027\n- Tested OK on Java 17, 21, 25, 26-ea\n" }, { "commit": "c66429a4b2269ec6cfcd8a632e7d124dce655411", "tree": "ff06643a2dc756e6f9f95a6f645b0b0844126571", "parents": [ "4eccf49263abbcf19b1d9c76ac640cfc4c01a875" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Jan 07 20:28:12 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Jan 07 20:30:05 2026 +0100" }, "message": "GH-865: replace %h in HostName SSH config\n\nOpenSSH does so. It enables for instance to write an SSH host entry\n\n Host foo*\n HostName %h.example.com\n\nto resolve \"foobar\" to \"foobar.example.com\" and \"foobaz\" to\n\"foobaz.example.com\"." }, { "commit": "4eccf49263abbcf19b1d9c76ac640cfc4c01a875", "tree": "cc4f60928664bfe99190493d4e3631236ea6c4b4", "parents": [ "c69cd0ceed34c8d073a115a404a6febbb51c69c7" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Jan 04 22:21:42 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Jan 05 21:41:58 2026 +0100" }, "message": "GH-855: single SftpClient in SftpFileSystem\n\nDrop the SftpClient pool and use a single thread-safe SftpClient per\nSftpFileSystem. The SftpClient is closed when the file system is closed.\nIf the server side should close the channel, operations using this\nclient may fail, but a server should not close channels unless there is\nno traffic. If a channel is closed by the server because it is idle, the\nSftpFileSystem will re-create a new SftpClient, thus opening a new\nchannel, on the next operation.\n\nIt is possible that a server decides to close a previously idle channel\njust in the moment the client-side wants to use that channel for a new\noperation. The new operation would then fail. But this possibility has\nalways existed in all previous versions of the SftpFileSystem code.\n\nThe main advantage of using a single SftpClient is that all SFTP\noperations are done in the same channel. This can be important with\nservers that restrict the number of concurrently open channels per SSH\nsession." }, { "commit": "c69cd0ceed34c8d073a115a404a6febbb51c69c7", "tree": "237cb369e38f936f2ea71ca09b42862caa92ea7f", "parents": [ "c1f31ee7c91db471605712ccc158a3a9f40f55b2" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 03 12:36:46 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Jan 05 20:38:23 2026 +0100" }, "message": "GH-855: Thread-safe DefaultSftpClient\n\nSynchronize sending messages through the channel. Messages would be\nsynchronized at the connection level anyway, and most uses of SFTP will\nbe single-threaded anyway, so synchronizing on channel level should not\nimpact performance much.\n\nWith a thread-safe SftpClient, the use of SftpClients in the\nSftpFileSystem can be simplified." }, { "commit": "c1f31ee7c91db471605712ccc158a3a9f40f55b2", "tree": "63211c7c64e0b71704e69394daae8643d205d99f", "parents": [ "c49c0687aff116b8a2039b5b75493234d7bf2ced" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Jan 05 00:07:07 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Jan 05 20:38:22 2026 +0100" }, "message": "Avoid race condition when closing a SshClient\n\nCancellation of a session timeout task may occur asynchronously on\nclosing sessions and on closing the client. Use AtomicReference to\navoid a race condition and concurrent access to a non-volatile field." }, { "commit": "c49c0687aff116b8a2039b5b75493234d7bf2ced", "tree": "75079157a6260d9e175b70d6f6d652122f7150f5", "parents": [ "6bcd715b082567da53b43d1dee0f54353ef79024" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Jan 02 13:58:58 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 03 16:55:57 2026 +0100" }, "message": "GH-721: fix SfpFileSystemProvider.getPath(URI)\n\nOnly handle URIs with scheme \"sftp\" and create a file system for the\ngiven URI if none exists already." }, { "commit": "6bcd715b082567da53b43d1dee0f54353ef79024", "tree": "d512c138f548648fcfda24aaa1cc02151fdccae4", "parents": [ "5a9194bb9bc86384d5303dcb6bd41c6f67ce9a42" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Jan 02 13:08:56 2026 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Jan 03 16:06:13 2026 +0100" }, "message": "GH-721: Create session timeout thread on demand\n\nOnly schedule the SessionTimeoutListener when the first session is\ncreated. Cancel it when there are no more sessions. Re-schedule it\nwhen there are sessions again.\n\nSo the session timeout listener is running periodically only when\nthere are sessions.\n\nThis prevents the up-front creation of these timer threads when an\nSftpFileSystemProvider is instantiated." }, { "commit": "5a9194bb9bc86384d5303dcb6bd41c6f67ce9a42", "tree": "61329d4f0be269bdd11a22fe6d7f9ad679736520", "parents": [ "32038f1dc4d1a2f327412336ab1243a34c23846c" ], "author": { "name": "Evgenii Pasynkov", "email": "pasynkov@gmail.com", "time": "Fri Dec 12 18:12:04 2025 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Jan 02 12:33:34 2026 +0100" }, "message": "Replace \"synchronized\" blocks in AbstractSession with ReentrantLock\n\nsynchronized blocks pin the virtual thread under JDK21+ to physical thread. It is better to avoid such pinning in I/O bound operations so VirtualThread planner can do its job\n" }, { "commit": "32038f1dc4d1a2f327412336ab1243a34c23846c", "tree": "2318528f0ef728b8dedcefb78c1e51ef32baa61d", "parents": [ "bde56696d4353bdb86c8516467a0255ac99e2440" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Dec 30 21:56:54 2025 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Jan 01 15:15:01 2026 +0100" }, "message": "GH-861: prevent zero-byte write in SFTP\n\nIn certain circumstances SftpOutputStreamAsync.flush() could cause\nsending an SSH_FXP_WRITE with zero data bytes. While this is not\nforbidden in SFTP, it is unnecessary and there is at least one SFTP\nserver that (erroneously) rejects such zero-byte writes with an\nSSH_FX_BAD_MESSAGE error.\n\nEnsure that SftpOutputStreamAsync does not produce such extra zero-byte\nwrites." }, { "commit": "bde56696d4353bdb86c8516467a0255ac99e2440", "tree": "64d3521204ec32c7409035e4e076c337097707b6", "parents": [ "3a272e9de06db39e654444549ab5f3097c224356" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Dec 20 16:02:37 2025 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Dec 20 16:02:37 2025 +0100" }, "message": "Update CHANGES.md" }, { "commit": "3a272e9de06db39e654444549ab5f3097c224356", "tree": "a07331f823fc462d2d2540007e7602912a1edea5", "parents": [ "1ef64dcee55b1a5748dca627c63f107079d26a1b" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Dec 20 14:42:52 2025 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Dec 20 14:42:52 2025 +0100" }, "message": "SSHD-1348: SFTP - gracefully handle zero-length SSH_FXP_READs\n\nFix inconsistency between checks for \u003e 0 and \u003e\u003d 0, and ensure a zero-\nlength read at or after EOF returns EOF, i.e., a SSH_FXP_STATUS reply\nwith SSH_FX_EOF. Zero-length reads before EOF return a zero-length\nSSH_FXP_DATA reply." }, { "commit": "1ef64dcee55b1a5748dca627c63f107079d26a1b", "tree": "3bbdff74f6681f8d66d34f0a362fee95fab2449e", "parents": [ "e82a9d378dd3f54bba535a355cac08ae9888dd05" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Dec 03 22:42:26 2025 +0100" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Dec 03 22:44:10 2025 +0100" }, "message": "GH-856: Fix using BC-FIPS\n\nBC-FIPS is quite different from normal BC when it comes to ed25519 keys.\nFIPS 140-3 includes ed25519. (140-2 didn\u0027t.)\n\nBack-port generic ed25519 operations from the 3.0.0 milestone branch and\nuse them to get raw key bytes, or to construct keys from raw bytes. This\navoids the need to use BC-specific classes that differ between BC-FIPS\nand normal BC.\n\nAdd a test run that executes a test using BC-FIPS instead of plain BC.\nThe test exercises all kinds of public key types." }, { "commit": "e82a9d378dd3f54bba535a355cac08ae9888dd05", "tree": "e1227942de2001649cfad2e6cbc68ab03a850376", "parents": [ "b4f2c4a44f249f3df6502a1694d4546ab6b5c336" ], "author": { "name": "Christoph John", "email": "christoph.john@macd.com", "time": "Mon Oct 27 18:30:47 2025 +0100" }, "committer": { "name": "Christoph John", "email": "christoph.john@macd.com", "time": "Wed Nov 05 11:58:09 2025 +0100" }, "message": "Add Maven Wrapper\n\nAdd mvnw scripts and ensure that they are included in the\ndistribution. Ensure line endings are correct on Unix and\nWindows.\n" }, { "commit": "b4f2c4a44f249f3df6502a1694d4546ab6b5c336", "tree": "e9121dd18e3033cf40f7cf5efba6621192d3fb6c", "parents": [ "621e59f705ab6535c8e5554b964d83153b242897" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Oct 26 17:24:07 2025 +0100" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 26 17:24:07 2025 +0100" }, "message": "Bump com.github.mwiede:jsch from 2.27.3 to 2.27.4 (#845)\n\n- [Release notes](https://github.com/mwiede/jsch/releases)\n- [Changelog](https://github.com/mwiede/jsch/blob/master/ChangeLog)\n- [Commits](https://github.com/mwiede/jsch/compare/jsch-2.27.3...jsch-2.27.4)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "621e59f705ab6535c8e5554b964d83153b242897", "tree": "43bf287154ca0fe9cc4df5ba0297dc3d7122706f", "parents": [ "f988739199aee8c896ebd0b402ef0ebc14a21807" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun Oct 26 15:33:36 2025 +0100" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun Oct 26 15:33:36 2025 +0100" }, "message": "Bump com.google.errorprone:error_prone_core from 2.42.0 to 2.43.0 (#846)\n\n- [Release notes](https://github.com/google/error-prone/releases)\n- [Commits](https://github.com/google/error-prone/compare/v2.42.0...v2.43.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "f988739199aee8c896ebd0b402ef0ebc14a21807", "tree": "a07de97181e691224a23286702588cc6e75ba9e4", "parents": [ "794122f0bfb3df30cac8a7d61b2337d97a9986c0" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 18 17:35:57 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 18 17:35:57 2025 +0200" }, "message": "[releng] Fix surefire config\n\nIt made reference to an undefined variable `${workspace.root.folder}`.\nCorrect would have been `${workspace.root.dir}`, defined in the maven\nconfiguration at .mvn/maven.config.\n\nHowever, even if corrected running JUnit tests in Eclipse doesn\u0027t work\n(undefined reference to `session.rootDirectory`) since there is no maven\nsession.\n\nSo fix this differently. As for all our Java projects the maven\nworkspace root is at `${project.basedir}/..` let\u0027s use that. That works\nin Eclipse and on the command-line." }, { "commit": "794122f0bfb3df30cac8a7d61b2337d97a9986c0", "tree": "32ee142ea97787396276b8361c39a6b2670c4cae", "parents": [ "2bb67e61dd16479fc1e0a796914185b7c3ca464f" ], "author": { "name": "Joshua Winkler", "email": "josh@bemoty.dev", "time": "Sat Oct 18 16:12:14 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Oct 18 16:12:14 2025 +0200" }, "message": "fix: negate followLinks flag for checkSymlinkState (#843)\n\nMissing boolean negations in two places led to wrong behavior.\n\nAdd tests for the two cases: fstat and file deletion with symlinks in the path." }, { "commit": "2bb67e61dd16479fc1e0a796914185b7c3ca464f", "tree": "663def41c3cb41cf8b26287b5ce8141140691ebc", "parents": [ "078ea5f0892af329417e5ba0b07bc2d8492536be" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Oct 14 15:09:45 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Oct 14 15:09:45 2025 +0200" }, "message": "Bump org.owasp:dependency-check-maven from 12.1.7 to 12.1.8 (#840)\n\n- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)\n- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.7...v12.1.8)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "078ea5f0892af329417e5ba0b07bc2d8492536be", "tree": "5a3e2f906a586c2a1274a7143a09f21469ee19a2", "parents": [ "5864a66df9f49b7abf5d3c050731f9444609d649" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Oct 13 21:53:19 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Oct 13 21:53:19 2025 +0200" }, "message": "Bump org.owasp:dependency-check-maven from 12.1.6 to 12.1.7 (#839)\n\n- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)\n- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.6...v12.1.7)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "5864a66df9f49b7abf5d3c050731f9444609d649", "tree": "ee4cce2a53c4bb8924604eaa265b1737f82c66e4", "parents": [ "9cc46e4cd38f3200633d138ca5e59e6bbbd38fa3" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sat Oct 11 21:16:18 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Oct 11 21:16:18 2025 +0200" }, "message": "Bump org.springframework.integration:spring-integration-bom (#838)\n\n- [Release notes](https://github.com/spring-projects/spring-integration/releases)\n- [Commits](https://github.com/spring-projects/spring-integration/compare/v5.5.7...v5.5.20)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9cc46e4cd38f3200633d138ca5e59e6bbbd38fa3", "tree": "aa7b9d8ef7ce9a79fe9e2f93c1f2465a8ce193e9", "parents": [ "1bf013c886beb4513f06735fa393ab357e32404a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sat Oct 11 20:23:24 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sat Oct 11 20:23:24 2025 +0200" }, "message": "Bump org.apache.maven.plugins:maven-pmd-plugin from 3.27.0 to 3.28.0 (#837)\n\n- [Release notes](https://github.com/apache/maven-pmd-plugin/releases)\n- [Commits](https://github.com/apache/maven-pmd-plugin/compare/maven-pmd-plugin-3.27.0...maven-pmd-plugin-3.28.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "1bf013c886beb4513f06735fa393ab357e32404a", "tree": "7d06fdd69339f0a5cac3dfe42d4d729018503d46", "parents": [ "023729c80be3a95f363a07d58e2de6c719dbcbe9" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 11 17:56:45 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 11 18:06:27 2025 +0200" }, "message": "[releng] Exclude spring-integration from dependabot updates\n\nSpring 6 needs Java 17+." }, { "commit": "023729c80be3a95f363a07d58e2de6c719dbcbe9", "tree": "f80ba4b7ffe57671e6317228b577300d578d5dc6", "parents": [ "0a942f788783b00a698f7294ad4e664011c17c88" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 11 17:46:06 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Oct 11 18:06:26 2025 +0200" }, "message": "Use more appropriate disconnect reason codes\n\nIn too many places the general SSH2_DISCONNECT_PROTOCOL_ERROR was used,\nwhich gives a potentially misleading message to the client. Use other\nerror reason codes that enable transporting custom messages. (With\n\"protocol error\" or \"mac error\" we always send a fixed message because\nof CVE-2008-1561.)" }, { "commit": "0a942f788783b00a698f7294ad4e664011c17c88", "tree": "a26a4ce492e5e730f47913726b4dca2d6a02c586", "parents": [ "9eebbbd60cd536da931aa1287b7216a096209ddc" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Oct 09 21:10:05 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 09 21:10:05 2025 +0200" }, "message": "Bump grpc.version from 1.75.0 to 1.76.0 (#836)\n\n- [Release notes](https://github.com/grpc/grpc-java/releases)\n- [Commits](https://github.com/grpc/grpc-java/compare/v1.75.0...v1.76.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9eebbbd60cd536da931aa1287b7216a096209ddc", "tree": "3c7c4c613886fa21ed63c8397060174aac509dfc", "parents": [ "c108570738108e7a14a2b9cf3fd095493e472ab4" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Oct 09 16:38:27 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 09 16:38:27 2025 +0200" }, "message": "Bump org.apache.maven:maven-archiver from 3.6.4 to 3.6.5 (#834)\n\n- [Release notes](https://github.com/apache/maven-archiver/releases)\n- [Commits](https://github.com/apache/maven-archiver/compare/maven-archiver-3.6.4...maven-archiver-3.6.5)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "c108570738108e7a14a2b9cf3fd095493e472ab4", "tree": "201b4d580a52e81448fe769614a6bb982321637c", "parents": [ "89919a74cbfe3ad5c8b96068fdcda00e027e767d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Oct 09 13:43:36 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 09 13:43:36 2025 +0200" }, "message": "Bump org.codehaus.plexus:plexus-archiver from 4.10.2 to 4.10.3 (#835)\n\n- [Release notes](https://github.com/codehaus-plexus/plexus-archiver/releases)\n- [Changelog](https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md)\n- [Commits](https://github.com/codehaus-plexus/plexus-archiver/compare/plexus-archiver-4.10.2...plexus-archiver-4.10.3)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "89919a74cbfe3ad5c8b96068fdcda00e027e767d", "tree": "7c201ba383c977db7f6afcd1b1728cbcca3ed96b", "parents": [ "43380444abe9d2779db1c4b68b1316799cb23df6" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Oct 09 12:55:45 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Oct 09 12:55:45 2025 +0200" }, "message": "Bump org.junit.jupiter:junit-jupiter from 5.13.4 to 5.14.0 (#833)\n\n- [Release notes](https://github.com/junit-team/junit-framework/releases)\n- [Commits](https://github.com/junit-team/junit-framework/compare/r5.13.4...r5.14.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "43380444abe9d2779db1c4b68b1316799cb23df6", "tree": "3d61d85152ca5d595798e55ec1488f94bb778346", "parents": [ "8f0c296a2486e447c180c2205716cfd0d8935b2d" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Oct 09 11:36:36 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Oct 09 11:36:36 2025 +0200" }, "message": "[releng] Exclude JUnit 6 from dependabot updates\n\nJUnit 6 requires Java 17+. As long as our BREE is \u003c 17, using JUnit 6 is\nnot an option." }, { "commit": "8f0c296a2486e447c180c2205716cfd0d8935b2d", "tree": "761cf7d5ef79e4f1d7f829925c8e1da8459df432", "parents": [ "74be99e8d0a10c62bfefbf86f227fde039266fea" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Oct 08 18:05:25 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Oct 08 23:32:51 2025 +0200" }, "message": "GH-830: Get EC curve parameters from the security provider\n\nFor EC public keys read from a ByteArrayBuffer, Bouncy Castle would\ngenerate X.509 encodings using as algorithm parameters not the named\ncurve OID but the raw curve parameters.\n\nThis was caused by our using manually constructed ECParameterSpecs with\nthe values given in [1]. SunEC has code matching raw parameters back to\nknown curve names, and then using the OID, but Bouncy Castle does not.\n\nSo instead of constructing the ECParameterSpecs explicitly let the\nsecurity provider provide them. With that approach, Bouncy Castle can\nproduce a spec that also transports the OID, and then uses the OID in\nthe X.509 encoding.\n" }, { "commit": "74be99e8d0a10c62bfefbf86f227fde039266fea", "tree": "6a02bb9a4f26c5469191649f831b006086646414", "parents": [ "fc3412ed136f46f165e2eee6dbd42ee437c9e433" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Oct 08 23:27:59 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Oct 08 23:27:59 2025 +0200" }, "message": "Bump org.codehaus.plexus:plexus-archiver from 4.10.1 to 4.10.2 (#829)\n\nBumps [org.codehaus.plexus:plexus-archiver](https://github.com/codehaus-plexus/plexus-archiver) from 4.10.1 to 4.10.2.\n- [Release notes](https://github.com/codehaus-plexus/plexus-archiver/releases)\n- [Changelog](https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md)\n- [Commits](https://github.com/codehaus-plexus/plexus-archiver/compare/plexus-archiver-4.10.1...plexus-archiver-4.10.2)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "fc3412ed136f46f165e2eee6dbd42ee437c9e433", "tree": "bc00d2dc9447074da38389598a67f4f9802dfd89", "parents": [ "ce71789ccfe7c56fc3750657d2b5198650b81de4" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed Oct 08 22:43:02 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Oct 08 22:43:02 2025 +0200" }, "message": "Bump jgit.version from 5.13.3.202401111512-r to 5.13.5.202508271544-r (#831)\n\nFixes CVE-2025-4949[1].\n\n[1] https://www.cve.org/CVERecord?id\u003dCVE-2025-4949\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "ce71789ccfe7c56fc3750657d2b5198650b81de4", "tree": "56498381ad589a6e0b1cdfd7a659d499cd941fba", "parents": [ "22b9b07d9f2185e3f7dc43e1feef615e0be49fb2" ], "author": { "name": "Rantanen", "email": "JannuMies@users.noreply.github.com", "time": "Wed Oct 08 22:32:21 2025 +0300" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Oct 08 21:32:21 2025 +0200" }, "message": "Update dead links to OpenSSH PROTOCOL.certkeys\n\nOpenSSH has removed the PROTOCOL.certkeys file. Link to the RFC draft instead.[1]\n\nThis just replicates the https://github.com/openssh/openssh-portable/commit/928f8dc commit for the documentation in this project, as all the replaced places were dead links.\n\n[1] https://datatracker.ietf.org/doc/draft-miller-ssh-cert/\n\nCo-authored-by: JannuMies \u003cjannumies@nonesuchstreet.foobar\u003e" }, { "commit": "22b9b07d9f2185e3f7dc43e1feef615e0be49fb2", "tree": "d935b49ed8ace4f0c301620b79adb3c8a91b4dc3", "parents": [ "c10dbcdaabf45fb53f3ce834d56d640b5893bca0" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 28 18:58:15 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 28 22:11:39 2025 +0200" }, "message": "GH-827: known_hosts: skip and log invalid lines\n\nPrevious code would throw an exception on the first error encountered." }, { "commit": "c10dbcdaabf45fb53f3ce834d56d640b5893bca0", "tree": "75b0cbdd9b7317c60a1fa4b8b221690ae863a041", "parents": [ "14e155a10f8e4cd808482e6d70ec3ac22957d291" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Sep 26 17:14:46 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 26 17:14:46 2025 +0200" }, "message": "Bump bouncycastle.version from 1.81 to 1.82 (#820)\n\n- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)\n- [Commits](https://github.com/bcgit/bc-java/commits)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "14e155a10f8e4cd808482e6d70ec3ac22957d291", "tree": "e6620da358fe4ae410530ddfbe6c2b02df5da2c4", "parents": [ "9791e3985ce86f30a902ca999a8de5919faf269d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Sep 25 21:22:23 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Sep 25 21:22:23 2025 +0200" }, "message": "Bump org.owasp:dependency-check-maven from 12.1.5 to 12.1.6 (#826)\n\n- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)\n- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.5...v12.1.6)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9791e3985ce86f30a902ca999a8de5919faf269d", "tree": "aa7eb9af9637adf9477212f1a163e445c05883c1", "parents": [ "beca40c0327f0dd5539c24ef92c876a648f5bab1" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Sep 23 15:03:44 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 23 15:03:44 2025 +0200" }, "message": "Bump org.assertj:assertj-core from 3.27.5 to 3.27.6 (#825)\n\n- [Release notes](https://github.com/assertj/assertj/releases)\n- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.5...assertj-build-3.27.6)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "beca40c0327f0dd5539c24ef92c876a648f5bab1", "tree": "e1bee23da03c4b1ba3848a175b1e695cc5326254", "parents": [ "9932ed1869b90a9bc0dbb7b9a3baaaad1fece937" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Sep 23 11:50:22 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 23 11:50:22 2025 +0200" }, "message": "Bump org.owasp:dependency-check-maven from 12.1.3 to 12.1.5 (#824)\n\n- [Release notes](https://github.com/dependency-check/DependencyCheck/releases)\n- [Changelog](https://github.com/dependency-check/DependencyCheck/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/dependency-check/DependencyCheck/compare/v12.1.3...v12.1.5)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9932ed1869b90a9bc0dbb7b9a3baaaad1fece937", "tree": "ab37d8df504d43669c6cdc8576c9c532b2e9d07a", "parents": [ "2a2eef02dd8dfced0eef87e3933b9da4741f0aff" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Sep 22 17:52:05 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon Sep 22 17:52:05 2025 +0200" }, "message": "Bump com.google.errorprone:error_prone_core from 2.41.0 to 2.42.0 (#823)\n\n- [Release notes](https://github.com/google/error-prone/releases)\n- [Commits](https://github.com/google/error-prone/compare/v2.41.0...v2.42.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "2a2eef02dd8dfced0eef87e3933b9da4741f0aff", "tree": "4b920e22a4396d3dc02855397ab38482dac6b9e6", "parents": [ "18a6e18b824c1c9bafc3b5d53146a58ba2818a77" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 21 11:59:51 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 21 11:59:51 2025 +0200" }, "message": "[releng] Fix test" }, { "commit": "18a6e18b824c1c9bafc3b5d53146a58ba2818a77", "tree": "b49519127c62085414c2e8eb0fa190a3bd5e7c44", "parents": [ "6e29d07935f0da03dca1d94275a7c55bb50b362f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Sep 20 16:36:28 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 21 11:21:14 2025 +0200" }, "message": "OpenSshCertificate: minor clean-up in isValidNow()" }, { "commit": "6e29d07935f0da03dca1d94275a7c55bb50b362f", "tree": "fd567c47a038e21c53b1a71ccd8a75b835c3ecbd", "parents": [ "65c88769b8823f37e827ac3780e0a60602bf236a" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Sep 20 16:35:19 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Sep 21 11:21:13 2025 +0200" }, "message": "SftpTransferTest: log exceptions\n\nI got some flaky runs on this test. No idea what happened, the server\nfirst gets a \"connection reset\" IOException, and then later logs a\n\"IllegalStateException: Not initialized\", unfortunately without stack\ntrace.\n\nThe additional logging will include the stack trace, which will be\ncontained in the test XML for the flaky run. Hopefully that gives some\ninsight as to where this IllegalStateException is coming from." }, { "commit": "65c88769b8823f37e827ac3780e0a60602bf236a", "tree": "4637027250692896dbab411f28503ce7a43467bb", "parents": [ "86a31ad8178ab3c76222541a6bf5331ea17a0f87" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Sep 19 14:36:03 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 19 14:36:03 2025 +0200" }, "message": "Bump org.assertj:assertj-core from 3.27.4 to 3.27.5 (#822)\n\nBumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.4 to 3.27.5.\n- [Release notes](https://github.com/assertj/assertj/releases)\n- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.4...assertj-build-3.27.5)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "86a31ad8178ab3c76222541a6bf5331ea17a0f87", "tree": "f0228217245de35f5951e3fe8ec5b029138542f4", "parents": [ "a05d99d919ab6bbadb0a2803a482d0357d37eaef" ], "author": { "name": "Konrad Windszus", "email": "kwin@apache.org", "time": "Tue Sep 16 18:49:38 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Sep 18 08:33:15 2025 +0200" }, "message": "Link BouncyCastle to Standards" }, { "commit": "a05d99d919ab6bbadb0a2803a482d0357d37eaef", "tree": "823cc80dd8616d75309c5bbebea5f13bf516b4a9", "parents": [ "5f60a1bd8c501073d532268471100d3949c31ad8" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Sep 17 18:37:34 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Sep 17 18:38:57 2025 +0200" }, "message": "[releng] Don\u0027t trigger builds for documentation updates\n\nExclude documentation files and also Github issue templates. There\u0027s no\npoint in running a build if no code or build files have changed." }, { "commit": "5f60a1bd8c501073d532268471100d3949c31ad8", "tree": "f914b917bb37a68520ddea3e609761a261bec5d5", "parents": [ "544b553f1aa6db983cbc0cf990093ed922f628bf" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Sep 16 14:40:33 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 16 14:40:33 2025 +0200" }, "message": "Bump net.revelc.code.formatter:formatter-maven-plugin (#818)\n\nBumps net.revelc.code.formatter:formatter-maven-plugin from 2.27.0 to 2.29.0.\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "544b553f1aa6db983cbc0cf990093ed922f628bf", "tree": "4be1a8ad7e0340d9f4fb94a4c0adb5fd69910f10", "parents": [ "5171c50eb593f47819be82e1b1a6d866f7ccaabc" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Sep 16 13:41:38 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue Sep 16 13:41:38 2025 +0200" }, "message": "Bump grpc.version from 1.74.0 to 1.75.0 (#815)\n\nBumps `grpc.version` from 1.74.0 to 1.75.0.\n- [Release notes](https://github.com/grpc/grpc-java/releases)\n- [Commits](https://github.com/grpc/grpc-java/compare/v1.74.0...v1.75.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "5171c50eb593f47819be82e1b1a6d866f7ccaabc", "tree": "cc601e1ca48dd75470c89656e17514ef7a017865", "parents": [ "45aae077b513ffb63b7766f51984a27dd5f1145a" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Mon Sep 15 12:12:36 2025 +0000" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Sep 16 10:00:07 2025 +0200" }, "message": "Bump pmd.version from 7.16.0 to 7.17.0\n\nUpdates `net.sourceforge.pmd:pmd-core` from 7.16.0 to 7.17.0\n- [Release notes](https://github.com/pmd/pmd/releases)\n- [Changelog](https://github.com/pmd/pmd/blob/main/docs/render_release_notes.rb)\n- [Commits](https://github.com/pmd/pmd/compare/pmd_releases/7.16.0...pmd_releases/7.17.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e" }, { "commit": "45aae077b513ffb63b7766f51984a27dd5f1145a", "tree": "32e39e233d407e2f121905b884c0e5c3edc47656", "parents": [ "19e3fd3b55deef41fb2ed8fcb2aeae2c174ba4a2" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Tue Aug 12 16:45:19 2025 +0000" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Sep 16 09:55:35 2025 +0200" }, "message": "Bump org.apache.maven:maven-archiver from 3.6.3 to 3.6.4\n\nBumps [org.apache.maven:maven-archiver](https://github.com/apache/maven-archiver)\nfrom 3.6.3 to 3.6.4.\n- [Release notes](https://github.com/apache/maven-archiver/releases)\n- [Commits](https://github.com/apache/maven-archiver/compare/maven-archiver-3.6.3...maven-archiver-3.6.4)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\n" }, { "commit": "19e3fd3b55deef41fb2ed8fcb2aeae2c174ba4a2", "tree": "a88d9bc0a5f50426dbf99cff84ab4ccdd5232fa5", "parents": [ "92e5a5eb0d7c2595d78577184c7a4b89256a2dcc" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Sep 12 17:04:37 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 12 17:04:37 2025 +0200" }, "message": "Bump com.github.mwiede:jsch from 2.27.2 to 2.27.3 (#816)\n\nBumps [com.github.mwiede:jsch](https://github.com/mwiede/jsch) from 2.27.2 to 2.27.3.\n- [Release notes](https://github.com/mwiede/jsch/releases)\n- [Changelog](https://github.com/mwiede/jsch/blob/master/ChangeLog)\n- [Commits](https://github.com/mwiede/jsch/compare/jsch-2.27.2...jsch-2.27.3)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "92e5a5eb0d7c2595d78577184c7a4b89256a2dcc", "tree": "6798642b54d8d8111b58deae042be82e3b72947f", "parents": [ "55f262d62b1b00750719003ef5006b28842e1212" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Sep 12 11:58:18 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 12 11:58:18 2025 +0200" }, "message": "Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 (#798)\n\nBumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 3.27.3 to 3.27.4.\n- [Release notes](https://github.com/assertj/assertj/releases)\n- [Commits](https://github.com/assertj/assertj/compare/assertj-build-3.27.3...assertj-build-3.27.4)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "55f262d62b1b00750719003ef5006b28842e1212", "tree": "ae3287c58bc8463462174dcbb8f0af028b37a4e7", "parents": [ "362758d2d1bad0bd91f4210f6ea8b5763a2cfe38" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Fri Sep 12 10:16:12 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri Sep 12 10:16:12 2025 +0200" }, "message": "Bump org.codehaus.plexus:plexus-archiver from 4.10.0 to 4.10.1 (#805)\n\nBumps [org.codehaus.plexus:plexus-archiver](https://github.com/codehaus-plexus/plexus-archiver) from 4.10.0 to 4.10.1.\n- [Release notes](https://github.com/codehaus-plexus/plexus-archiver/releases)\n- [Changelog](https://github.com/codehaus-plexus/plexus-archiver/blob/master/ReleaseNotes.md)\n- [Commits](https://github.com/codehaus-plexus/plexus-archiver/compare/plexus-archiver-4.10.0...plexus-archiver-4.10.1)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "362758d2d1bad0bd91f4210f6ea8b5763a2cfe38", "tree": "e9c16a9a0555522aec7be8364511590babc684b2", "parents": [ "084e69b8183a3228f0b44acb0c17a5ec86ef44ab" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Sep 08 22:56:41 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Sep 10 22:01:47 2025 +0200" }, "message": "SignatureEd25519: fix vulnerability in net.i2p.crypto:eddsa:0.3.0\n\nnet.i2p.crypto:eddsa:0.3.0 has a bug and omits a crucial check in\nsignature verification. This was reported as CVE-2020-36843[1]\n(signature malleability).\n\nThe problem affects signature verification, but luckily the missing\ncheck can also be performed outside of the library. With this commit\nwe do so and verify that the second 32 bytes of the signature is\nactually in the range [0..L),[2] with L the order as given in RFC\n7748.[3]\n\nThis means that the use of net.i2p.crypto:eddsa:0.3.0, if used for\ned25519 signatures via Apache MINA SSHD, is safe and **not** subject of\nCVE-2020-36843. Of course, vulnerability scanners will still report the\nvulnerability.\n\nNote that Apache MINA SSHD has only a completely optional dependency on\nnet.i2p.crypto:eddsa:0.3.0. If that artifact is not present in the\napplication using Apache MINA SSHD, Apache MINA SSHD will still work. In\nthat case, ed25519 is supported via Bouncy Castle.\n\n[1] https://www.cve.org/CVERecord?id\u003dCVE-2020-36843\n[2] https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7\n[3] https://www.rfc-editor.org/rfc/rfc7748.html#section-4.1\n" }, { "commit": "084e69b8183a3228f0b44acb0c17a5ec86ef44ab", "tree": "e171a3c6d22da214214b259ba2d5866fb6a8e8f1", "parents": [ "59d9961c81ea6b1a3281201e0b5ced414dbff509" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Aug 28 12:39:59 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Aug 28 12:39:59 2025 +0200" }, "message": "Fix equals() \u0026 hashCode() for sk-* keys\n\nInclude verifyRequired in both, and make the static utility methods in\nKeyUtils simply call Objects.equals()." }, { "commit": "59d9961c81ea6b1a3281201e0b5ced414dbff509", "tree": "c6109811d62013e879cbb4b3508df09265fbf000", "parents": [ "d63179ebe68cc8a6d2231a6bd75f6fa47b0f53ac" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Aug 28 12:39:44 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Aug 28 12:39:44 2025 +0200" }, "message": "Fix typos in comments in UserAuthPublicKeySkTest" }, { "commit": "d63179ebe68cc8a6d2231a6bd75f6fa47b0f53ac", "tree": "4f0ebf0b4c72420e1bfb5a9891b1b68b5f18b6ed", "parents": [ "02a5865575d5aae0f70330db1c5228e9bc043482" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 20:54:46 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 20:54:46 2025 +0200" }, "message": "Fix typo in CHANGES.md" }, { "commit": "02a5865575d5aae0f70330db1c5228e9bc043482", "tree": "10735f9a30ae0c86259a7de3f48fad5b73dd1c40", "parents": [ "80fc45f0a2c39034113b934da9e97b36bec7d30e" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 20:51:14 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 20:51:14 2025 +0200" }, "message": "Update CHANGES" }, { "commit": "80fc45f0a2c39034113b934da9e97b36bec7d30e", "tree": "537e08e8df525f8041e9dd8658a39805e2e87b3c", "parents": [ "b05e5ab423e8ea9f15d89ddbebb99f5158d6c0b0" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 18:21:06 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 18:31:40 2025 +0200" }, "message": "Fix server-side authentication with sk-* keys with flags\n\nServer-side, authorized_keys may define flags that are relevant for\nsignature verification of sk-* FIDO/U2F keys: no-touch-required and\nverify-require. UserAuthPublicKey must therefore use the key from the\nauthenticator, which includes these flags, and not the key received on\nthe wire, which doesn\u0027t have them.\n\nAlso be more strict about trailing garbage after the signature." }, { "commit": "b05e5ab423e8ea9f15d89ddbebb99f5158d6c0b0", "tree": "b281fbbef0d077cefe61d6ceba8a4438ff0ffb7e", "parents": [ "a7f8147b59c8fdef236a69bec7fc8b728973da2d" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Tue Aug 26 18:05:03 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Aug 27 18:31:40 2025 +0200" }, "message": "Fix matching sk-* keys against authorized_keys\n\nThe public keys the server receives on the wire do not have any\nflags that may be defined in authorized_keys. Therefore the\nAuthorizedKeyEntriesPublickeyAuthenticator must not include the\nflags in the keys used for the comparison." }, { "commit": "a7f8147b59c8fdef236a69bec7fc8b728973da2d", "tree": "da6af718d5ec0cf5239fba62b3cc0cc6d739e704", "parents": [ "70b55faaa5c5297e290243ff91aadc782952c112" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Aug 25 21:35:43 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Aug 25 21:35:43 2025 +0200" }, "message": "Avoid calling newly deprecated constructor of sk-* keys" }, { "commit": "70b55faaa5c5297e290243ff91aadc782952c112", "tree": "dbe680a210417caccecf089c1d483ec830b5de93", "parents": [ "e472eb6e437b983e61f3c80a2195e4ea5ca6bf92" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Aug 25 19:45:49 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Mon Aug 25 19:49:41 2025 +0200" }, "message": "GH-807: Handle \"verified\" flag for sk-* keys\n\nParse the \"verify_required\" flag from authorized_keys and set it on the\nkeys; add a getter. When checking the signature, also check the\n\"verified\" flag if \"verified-required\" is set.\n" }, { "commit": "e472eb6e437b983e61f3c80a2195e4ea5ca6bf92", "tree": "6414390f6ccb30763f1758db60ded98e16134122", "parents": [ "96661c044d2086bfa6519e0ea13dafa85c390d32" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Aug 23 21:10:24 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sat Aug 23 21:21:16 2025 +0200" }, "message": "Skip container tests if docker is not available\n\nSkip all container tests if no docker engine is running. Remove\ndisabling the tests on Windows: also run these tests on Windows\nif a docker engine is available. (The CI Windows runners don\u0027t have\ndocker.)" }, { "commit": "96661c044d2086bfa6519e0ea13dafa85c390d32", "tree": "2b33ea9ca5d9fc07b1d0e1ef20da6f988e4ea915", "parents": [ "445ef7e8f6a0674576d8f8048e3ee442ff102fc6" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:59:29 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:59:29 2025 +0200" }, "message": "[maven-release-plugin] prepare for next development iteration\n" }, { "commit": "445ef7e8f6a0674576d8f8048e3ee442ff102fc6", "tree": "6ff1cfa5014a13aa910b0c31094638de9555f722", "parents": [ "ebbfaf935d39b0c248c4dd2028ac647886ad3fa6" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:59:29 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:59:29 2025 +0200" }, "message": "[maven-release-plugin] prepare release sshd-2.16.0\n" }, { "commit": "ebbfaf935d39b0c248c4dd2028ac647886ad3fa6", "tree": "14608e1cfa894348abb8281a4958da6326655b05", "parents": [ "2ec336a4a88c2d0633c76b949d810fb2852755ba" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:55:18 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 22:55:46 2025 +0200" }, "message": "[releng] SCM tag for development versions\n\nIt was \"sshd-2.13.2\", which I find confusing. The value in a development\nversion doesn\u0027t matter at all; release:prepare will fill in the real\nrelease tag for the release, and revert afterwards. So use \"master\"\ninstead." }, { "commit": "2ec336a4a88c2d0633c76b949d810fb2852755ba", "tree": "80e1c3de4cd0088bfe773c78dcb9a4d3d601d4f3", "parents": [ "92eb158391a0c80e37e09283b0f198e1ab1de09f" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 13:17:04 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Sun Aug 17 13:35:18 2025 +0200" }, "message": "Fix javadoc warnings" }, { "commit": "92eb158391a0c80e37e09283b0f198e1ab1de09f", "tree": "2ae2f2afe890a3c6b048f7455ac21ef525170b1b", "parents": [ "62e6b5c890c58edbb0a62e2e7f6feae91dffe3d4" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Aug 08 22:52:54 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Fri Aug 08 22:52:54 2025 +0200" }, "message": "Prepare documentation for a 2.16.0 release" }, { "commit": "62e6b5c890c58edbb0a62e2e7f6feae91dffe3d4", "tree": "9d0176b8aa3495086b69b6fbdee37a657ec36728", "parents": [ "3fbc0a800d1afd5509cd3ce3bf866614e0df670c" ], "author": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Wed Jul 23 20:17:33 2025 +0200" }, "committer": { "name": "Thomas Wolf", "email": "twolf@apache.org", "time": "Thu Aug 07 19:48:30 2025 +0200" }, "message": "[releng] Bump version to 2.16.0-SNAPSHOT" }, { "commit": "3fbc0a800d1afd5509cd3ce3bf866614e0df670c", "tree": "0d7a6780236c63ec8cc2f1531949217ec523c0bc", "parents": [ "99246d694de253a95998357244345bf0a2ef7af9" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Thu Jul 31 08:52:26 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Jul 31 08:52:26 2025 +0200" }, "message": "Bump grpc.version from 1.73.0 to 1.74.0 (#792)\n\n- [Release notes](https://github.com/grpc/grpc-java/releases)\n- [Commits](https://github.com/grpc/grpc-java/compare/v1.73.0...v1.74.0)\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "99246d694de253a95998357244345bf0a2ef7af9", "tree": "72dbe1c8eba3d534d1b188c4222d948669216117", "parents": [ "2868de8c5f79e597ea8c94b134cdf1578cb9a68c" ], "author": { "name": "Konstantin", "email": "91319844+fersaru@users.noreply.github.com", "time": "Wed Jul 30 18:19:24 2025 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed Jul 30 18:19:24 2025 +0200" }, "message": "Fix ClientChannelEvent.Timeout and ClientSessionEvent.TIMEOUT (#790)\n\nFix AbstractClientChannel.waitFor() and ClientSessionImpl.waitFor(); they could time-out much too early.\n\nOn some hosts, on which waiting for the `futureLock.wait(remWait)` is faster than 1 millisecond, `remWait` gets reduced by 123 milliseconds although not even one passed. This causes a `ClientChannelEvent.Timeout` or `ClientSessionEvent.TIMEOUT` after a much smaller time passed than the configured timeout.\n\nWith these changes, the `remWait` is calculated based on the milliseconds passed instead of transformed nanoseconds.\n\n" } ], "next": "2868de8c5f79e597ea8c94b134cdf1578cb9a68c" }