I was wondering if you were planning to update the sshd jars to 2.9.1+ due to CVE
CVE-2022-45047
Thanks,
Karl
Hello Karl,
SVNKit is not affected by this vulnerability as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally.
Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed.
CVE-2023-48795 may affect trilead-ssh2-1.0.0-build222.jar it seems.
https://nvd.nist.gov/vuln/detail/CVE-2023-48795
Apache 2.9.2 is also, so I would go to 2.11.0 instead.
Is there a timeline for SVNKit 1.10.11 using Apache SSHD?
Also,
https://svnkit.com/ lists
Latest Version:
1.10.10
get binariesbrowse source codedaily builds
and the download page
SVNKit :: Download also lists 1.10.10 as latest.
but Maven:
https://mvnrepository.com/artifact/org.tmatesoft.svnkit/svnkit/1.10.11
So, I think the svnkit homepage is wrong.