Skip to content

Bump org.apache.sshd:sshd-core from 2.17.1 to 2.18.0#1030

Closed
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/gradle/org.apache.sshd-sshd-core-2.18.0
Closed

Bump org.apache.sshd:sshd-core from 2.17.1 to 2.18.0#1030
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/gradle/org.apache.sshd-sshd-core-2.18.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor

Bumps org.apache.sshd:sshd-core from 2.17.1 to 2.18.0.

Release notes

Sourced from org.apache.sshd:sshd-core's releases.

Apache MINA SSHD 2.18.0

Bug Fixes

  • GH-743 Ensure the Java ServiceLoader use a singleton SftpFileSystemProvider
  • GH-879 Close SSH channel gracefully on exception in port forwarding
  • Security: Improve handling of repository paths in sshd-git. Resolves CVE-2026-48827, announced 2026-05-30.

New Features

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

Wildcard principals in host certificates are handled now.

  • Putty keys with non-ASCII passphrases

The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated. Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a last-chance fallback.

Potential Compatibility Issues

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Changelog

Sourced from org.apache.sshd:sshd-core's changelog.

Previous Versions

Latest Version

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits
  • c2d7b7a [maven-release-plugin] prepare release sshd-2.18.0
  • 084cee8 Prepare release documentation
  • db0567b Improve git access
  • 1285419 GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader
  • 4e820c9 Add test cases to AuthorizedKeysCertificateTest
  • a85a3b1 Better handling of Putty keys with non-ASCII passphrases
  • 6c215e8 Bump BCFIPS bundles used in a test
  • 9def203 Fix annotation to ignore an unstable test
  • a0ef7a5 Host certificates: check both public keys for not being revoked
  • b11c159 GH-892: Host certificate principals may contain wildcards
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.apache.sshd:sshd-core](https://github.com/apache/mina-sshd) from 2.17.1 to 2.18.0.
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.17.1...sshd-2.18.0)

---
updated-dependencies:
- dependency-name: org.apache.sshd:sshd-core
  dependency-version: 2.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 2, 2026
@bgalek bgalek closed this Jun 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@bgalek bgalek reopened this Jun 2, 2026
@bgalek bgalek closed this Jun 2, 2026
@dependabot dependabot Bot deleted the dependabot/gradle/org.apache.sshd-sshd-core-2.18.0 branch June 2, 2026 19:07
@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.45%. Comparing base (7d9dee9) to head (e4256e4).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff            @@
##               main    #1030   +/-   ##
=========================================
  Coverage     58.45%   58.45%           
  Complexity      448      448           
=========================================
  Files            84       84           
  Lines          1844     1844           
  Branches        149      149           
=========================================
  Hits           1078     1078           
  Misses          708      708           
  Partials         58       58           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant