Move away from EDDSA !! #1000
Comments
|
@karthickm512 I was in the process of merging changes wrt this. I think the current master now no longer uses eddsa |
|
Thanks for merging pull request #993 @hierynomus! With that pull request merged, the |
|
@hierynomus thank you for your help here. Is there any plan to cut a new version soon now that this dependency has been removed? |
|
(And thank you @exceptionfactory!) |
|
Will the eddsa removal affect the products that use sshj and operating on java11? |
SSHJ continues to work with Java 11 and earlier using the Bouncy Castle library to provide Ed25519 algorithm support. The GitHub workflows run on Java 11 as well, providing confirmation of continued functionality following the removal of the |
|
Wonderful. Then it is more of waiting for sshj release !! |
|
Our company needs this mitigation as soon as possible. What can we do to help you publish a new release to Maven Central with this fix? |
SSHJ uses i2p.crypto.eddsa 0.3.0 which is 7 years old and no new version exists as well as impacted by CVE-2020-36843. If there are any vulnerabilities and they do not release, sshj will be affected and of course we as users of sshj will be affected. Any possibility of switching to alternative 3PP?
The text was updated successfully, but these errors were encountered: