navicore/stsource
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases 1 Packages Wiki Activity Actions

Update dependency sbt/sbt to v1.9.7 #30

Merged
renovate[bot] merged 1 commit from renovate/sbt-sbt-1.x into master 2023-11-01 12:14:28 +00:00
Conversation 0 Commits 1 Files changed 1 +1 -1
renovate[bot] commented 2023-11-01 01:55:41 +00:00 (Migrated from github.com)
Copy link

Mend Renovate

This PR contains the following updates:

Package Update Change
sbt/sbt patch 1.9.6 -> 1.9.7

Release Notes

sbt/sbt (sbt/sbt)

v1.9.7: 1.9.7

Compare Source

Highlights
  • sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.
Zip Slip (arbitrary file write) vulnerability

See https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

Configuration

📅 Schedule: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [sbt/sbt](https://togithub.com/sbt/sbt) | patch | `1.9.6` -> `1.9.7` | --- ### Release Notes <details> <summary>sbt/sbt (sbt/sbt)</summary> ### [`v1.9.7`](https://togithub.com/sbt/sbt/releases/tag/v1.9.7): 1.9.7 [Compare Source](https://togithub.com/sbt/sbt/compare/v1.9.6...v1.9.7) ##### Highlights - sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in `IO.unzip`. This was discovered and reported by Kenji Yoshida ([@&#8203;xuwei-k][@&#8203;xuwei-k]), and fixed by [@&#8203;eed3si9n][@&#8203;eed3si9n] in [io#360][io360]. ##### Zip Slip (arbitrary file write) vulnerability See <https://github.com/sbt/sbt/security/advisories/GHSA-h9mw-grgx-2fhf> for the most up to date information. This affects all sbt versions prior to 1.9.7. Path traversal vulnerabilty was discovered in `IO.unzip` code. This is a very common vulnerability known as [Zip Slip](https://security.snyk.io/research/zip-slip-vulnerability), and was found and fixed in plexus-archiver, Ant, etc. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry: +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys When executed on some path with six levels, `IO.unzip` could then overwrite a file under `/root/`. sbt main uses `IO.unzip` only in `pullRemoteCache` and `Resolvers.remote`, however, many projects use `IO.unzip(...)` directly to implement custom tasks and tests. ##### Non-determinism from AutoPlugins loading We've known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other. sbt 1.9.7 attempts to fix non-determinism of plugin loading order. This was contributed by [@&#8203;eed3si9n][@&#8203;eed3si9n] in [#&#8203;7404][7404]. ##### Other updates and fixes - Updates Coursier to 2.1.7 by [@&#8203;regiskuckaertz][@&#8203;regiskuckaertz] in [#&#8203;7392][7392] - Updates Swoval to 2.1.12 by [@&#8203;eatkins][@&#8203;eatkins] in [io#353][io353]. - Fixes `.sbtopts` support for `sbt` runner script on Windows by [@&#8203;ptrdom][@&#8203;ptrdom] in [#&#8203;7393][7393] - Adds documentation on `scriptedSbt` key by [@&#8203;mdedetrich][@&#8203;mdedetrich] in [#&#8203;7383][7383] - Includes the URL in `dependencyBrowseTree` log by [@&#8203;mkurz][@&#8203;mkurz] in [#&#8203;7396][7396] [@&#8203;eed3si9n]: https://togithub.com/eed3si9n [@&#8203;Nirvikalpa108]: https://togithub.com/Nirvikalpa108 [@&#8203;adpi2]: https://togithub.com/adpi2 [@&#8203;er1c]: https://togithub.com/er1c [@&#8203;eatkins]: https://togithub.com/eatkins [@&#8203;dwijnand]: https://togithub.com/dwijnand [@&#8203;xuwei-k]: https://togithub.com/xuwei-k [@&#8203;regiskuckaertz]: https://togithub.com/regiskuckaertz [@&#8203;ptrdom]: https://togithub.com/ptrdom [@&#8203;mdedetrich]: https://togithub.com/mdedetrich [@&#8203;mkurz]: https://togithub.com/mkurz [7404]: https://togithub.com/sbt/sbt/pull/7404 [7392]: https://togithub.com/sbt/sbt/pull/7392 [7393]: https://togithub.com/sbt/sbt/pull/7393 [7396]: https://togithub.com/sbt/sbt/pull/7396 [7383]: https://togithub.com/sbt/sbt/pull/7383 [io353]: https://togithub.com/sbt/io/pull/353 [io360]: https://togithub.com/sbt/io/pull/360 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 3am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/navicore/stsource). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMS41IiwidXBkYXRlZEluVmVyIjoiMzcuMzEuNSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciJ9-->
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
navicore/stsource!30
No description provided.