!17 [sync] PR-13: Fix CVE-2023-35887

From: @openeuler-sync-bot Reviewed-by: @wk333 Signed-off-by: @wk333
2024-01-12 00:50:35 +00:00 · 2024-01-12 00:50:35 +00:00 · 97c8ac8cb4
commit 97c8ac8cb4
parent 93906a0d43 e7c7e18533
2 changed files with 2345 additions and 4 deletions
--- a/CVE-2023-35887.patch
+++ b/CVE-2023-35887.patch
--- a/apache-sshd.spec
+++ b/apache-sshd.spec
@ -1,13 +1,15 @@
 Epoch:               1
 Name:                apache-sshd
 Version:             2.9.2
-Release:             1
+Release:             2
 Summary:             Apache SSHD
 License:             ASL 2.0 and ISC
 URL:                 http://mina.apache.org/sshd-project
 Source0:             https://archive.apache.org/dist/mina/sshd/%{version}/apache-sshd-%{version}-src.tar.gz
 Patch0:              0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
 Patch1:              apache-sshd-javadoc.patch
+# https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
+Patch2:              CVE-2023-35887.patch

 BuildRequires:       maven-local mvn(junit:junit) mvn(net.i2p.crypto:eddsa) mvn(org.apache.ant:ant)
 BuildRequires:       mvn(org.apache:apache:pom:) mvn(org.apache.felix:maven-bundle-plugin)
@ -32,9 +34,7 @@ Summary:             API documentation for %{name}
 This package provides %{name}.

 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%autosetup -p1
 rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix
 %pom_remove_dep :spring-framework-bom
 %pom_remove_dep :testcontainers-bom sshd-sftp sshd-core
@ -71,6 +71,9 @@ rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix
 %license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt

 %changelog
+* Thu Jan 11 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.9.2-2
+- Fix CVE-2023-35887
+
 * Mon Nov 21 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1:2.9.2-1
 - Fix CVE-2022-45047