From f9556cd479c0c6a83b7bf6e576de508d5fe38c9b Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 27 Dec 2024 04:38:16 +0000
Subject: [PATCH] [JENKINS-75077] Update mina-sshd-api.version to
v2.14.0-138.v6341ee58e1df
https://github.com/jenkinsci/jenkins/pull/10096 is the pull request to
the master branch that has been merged for inclusion in the 7 Jan 2025
release of Jenkins 2.492.
The Apache MINA core library has reported CVE-2024-52046
https://github.com/advisories/GHSA-76h9-2vwh-w278 , an issue for MINA
users that use `ioBuffer.getObject()`. Jenkins is not affected by
the issue, but software composition analysis tools will report it as
a vulnerability and we'll spend time explaining that Jenkins is not
vulnerable.
Let's backport the change to the stable-2.479 line so that it can be
part of Jenkins 2.479.3
This is an exception to the policy that we only backport to an LTS after
a change has been merged to the Jenkins weekly release. I think this
exception should be approved so that we reduce the amount of time that the
Jenkins security team must spend explaining that Jenkins is not vulnerable
to this issue. It is simpler to include the updated library plugin than
to spend time explaining why this is not an issue.
(cherry picked from commit efae3ca4559e6dc526a37d99e5a9f51050259d5c)
---
war/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/war/pom.xml b/war/pom.xml
index 9130f591b7d0..d7beb09ce5ea 100644
--- a/war/pom.xml
+++ b/war/pom.xml
@@ -46,7 +46,7 @@ THE SOFTWARE.
localhost
8080
- 2.13.2-125.v200281b_61d59
+ 2.14.0-138.v6341ee58e1df
3107.v665000b_51092