Move away from EDDSA !!

[karthickm512]

SSHJ uses i2p.crypto.eddsa 0.3.0 which is 7 years old and no new version exists as well as impacted by CVE-2020-36843. If there are any vulnerabilities and they do not release, sshj will be affected and of course we as users of sshj will be affected. Any possibility of switching to alternative 3PP?

[hierynomus]

@karthickm512 I was in the process of merging changes wrt this. I think the current master now no longer uses eddsa

[exceptionfactory]

Thanks for merging pull request #993 @hierynomus!

With that pull request merged, the eddsa library is no longer a project dependency.

[juan-philippe]

@hierynomus thank you for your help here. Is there any plan to cut a new version soon now that this dependency has been removed?

[juan-philippe]

(And thank you @exceptionfactory!)

[karthickm512]

Will the eddsa removal affect the products that use sshj and operating on java11?

[exceptionfactory]

Will the eddsa removal affect the products that use sshj and operating on java11?

SSHJ continues to work with Java 11 and earlier using the Bouncy Castle library to provide Ed25519 algorithm support. The GitHub workflows run on Java 11 as well, providing confirmation of continued functionality following the removal of the eddsa library.

[karthickm512]

Wonderful. Then it is more of waiting for sshj release !!

[mmellon]

Our company needs this mitigation as soon as possible. What can we do to help you publish a new release to Maven Central with this fix?

[dmitrysulman]

@hierynomus Do you have any updates on the expected release timeline?

[karthickm512]

@hierynomus Could you pls share the tentative timeline for 0.40.0 release?

[jgronfur]

@hierynomus Any update on a timeline for this release?

[robertpatrick]

We also need this new release ASAP. Any ETAs?

[ddsharpe]

@hierynomus Any ETA for the next release without eddsa?

[ChesterEcwid]

@hierynomus, any news here?

[karthickm512]

I suppose they have no release plan for few more months. We could either find alternative or live with the issues till they release