Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency sbt/sbt to v1.9.7 #2846

Merged
merged 1 commit into from
Oct 23, 2023
Merged

Update dependency sbt/sbt to v1.9.7 #2846

merged 1 commit into from
Oct 23, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 23, 2023

Mend Renovate

This PR contains the following updates:

Package Update Change
sbt/sbt patch 1.9.6 -> 1.9.7

Release Notes

sbt/sbt (sbt/sbt)

v1.9.7: 1.9.7

Compare Source

Highlights
  • sbt 1.9.7 updates its IO module to 1.9.7, which fixes parent path traversal vulnerability in IO.unzip. This was discovered and reported by Kenji Yoshida (@​xuwei-k), and fixed by @​eed3si9n in io#360.
Zip Slip (arbitrary file write) vulnerability

See GHSA-h9mw-grgx-2fhf for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code. This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc.

Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

Non-determinism from AutoPlugins loading

sbt 1.9.7 attempts to fix non-determinism of plugin loading order.
This was contributed by @​eed3si9n in #​7404.

Other updates and fixes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@mergify mergify bot added the build Change to the build definition and dependencies label Oct 23, 2023
@github-actions
Copy link
Contributor

Incompatible changes

slick

3 changes since 3.5.0-pre.106.d463f34e

Code changes

Incompatibility Symbol Problem
Backward slick.compat.collection.package MissingClassProblem

class slick.compat.collection.package does not have a correspondent in current version
Backward slick.compat.collection.package$ MissingClassProblem

object slick.compat.collection.package does not have a correspondent in current version
Backward slick.compat.collection.package$JavaConverters$ MissingClassProblem

object slick.compat.collection.package#JavaConverters does not have a correspondent in current version

@mergify mergify bot merged commit 4f2bfc9 into main Oct 23, 2023
14 checks passed
@mergify mergify bot deleted the renovate/sbt-sbt-1.x branch October 23, 2023 01:00
@nafg nafg added this to the 3.5.0 milestone Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build Change to the build definition and dependencies
Projects
None yet
Milestone
3.5.0
Development

Successfully merging this pull request may close these issues.
1 participant
@nafg