HADOOP-18894: upgrade sshd-core due to CVEs

[pjfanning]

Description of PR

https://issues.apache.org/jira/browse/HADOOP-18894

How was this patch tested?

CI build

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 47s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	48m 23s		trunk passed
+1 💚	compile	0m 18s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 19s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	mvnsite	0m 23s		trunk passed
+1 💚	javadoc	0m 23s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 20s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	shadedclient	87m 39s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 13s		the patch passed
+1 💚	compile	0m 13s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 13s		the patch passed
+1 💚	compile	0m 12s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	javac	0m 12s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 15s		the patch passed
+1 💚	javadoc	0m 13s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 12s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
-1 ❌	shadedclient	3m 41s		patch has errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 13s		hadoop-project in the patch passed.
+1 💚	asflicense	0m 28s		The patch does not generate ASF License warnings.
		97m 39s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/1/artifact/out/Dockerfile
GITHUB PR	#6060
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 793b25e51f87 4.15.0-212-generic #223-Ubuntu SMP Tue May 23 13:09:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / ee3284c
Default Java	Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/1/testReport/
Max. process+thread count	585 (vs. ulimit of 5500)
modules	C: hadoop-project U: hadoop-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	1m 23s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 1s		codespell was not available.
+0 🆗	detsecrets	0m 1s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	15m 3s		Maven dependency ordering for branch
+1 💚	mvninstall	36m 30s		trunk passed
+1 💚	compile	18m 22s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	compile	16m 27s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	checkstyle	4m 43s		trunk passed
+1 💚	mvnsite	2m 8s		trunk passed
+1 💚	javadoc	1m 40s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	1m 17s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 38s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
+1 💚	shadedclient	40m 9s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 34s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 7s		the patch passed
+1 💚	compile	17m 31s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javac	17m 31s		the patch passed
+1 💚	compile	16m 23s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	javac	16m 23s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-0 ⚠️	checkstyle	4m 36s	/results-checkstyle-root.txt	root: The patch generated 1 new + 3 unchanged - 0 fixed = 4 total (was 3)
+1 💚	mvnsite	2m 7s		the patch passed
+1 💚	javadoc	1m 35s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	1m 18s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 31s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	40m 3s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 29s		hadoop-project in the patch passed.
+1 💚	unit	19m 0s		hadoop-common in the patch passed.
+1 💚	asflicense	0m 57s		The patch does not generate ASF License warnings.
		254m 5s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/2/artifact/out/Dockerfile
GITHUB PR	#6060
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux 2156a6889233 4.15.0-212-generic #223-Ubuntu SMP Tue May 23 13:09:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 125ef11
Default Java	Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/2/testReport/
Max. process+thread count	3010 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-common U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/2/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 42s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 57s		Maven dependency ordering for branch
+1 💚	mvninstall	32m 24s		trunk passed
+1 💚	compile	17m 17s		trunk passed with JDK Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04
+1 💚	compile	16m 6s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	checkstyle	4m 26s		trunk passed
+1 💚	mvnsite	2m 36s		trunk passed
+1 💚	javadoc	2m 11s		trunk passed with JDK Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	1m 45s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 53s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
+1 💚	shadedclient	35m 38s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 41s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 15s		the patch passed
+1 💚	compile	16m 23s		the patch passed with JDK Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04
+1 💚	javac	16m 23s		the patch passed
+1 💚	compile	16m 11s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	javac	16m 11s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 24s		the patch passed
+1 💚	mvnsite	2m 33s		the patch passed
+1 💚	javadoc	2m 5s		the patch passed with JDK Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04
+1 💚	javadoc	1m 45s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 45s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	36m 20s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 44s		hadoop-project in the patch passed.
+1 💚	unit	19m 18s		hadoop-common in the patch passed.
+1 💚	asflicense	1m 11s		The patch does not generate ASF License warnings.
		243m 11s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/3/artifact/out/Dockerfile
GITHUB PR	#6060
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux e9e2bac40623 4.15.0-212-generic #223-Ubuntu SMP Tue May 23 13:09:22 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 09e73a3
Default Java	Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.20+8-post-Ubuntu-1ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/3/testReport/
Max. process+thread count	3159 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-common U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/3/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 48s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 1s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 2 new or modified test files.
			_ trunk Compile Tests _
+0 🆗	mvndep	14m 16s		Maven dependency ordering for branch
+1 💚	mvninstall	35m 40s		trunk passed
+1 💚	compile	18m 28s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	compile	16m 47s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	checkstyle	4m 41s		trunk passed
+1 💚	mvnsite	2m 13s		trunk passed
+1 💚	javadoc	1m 44s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	1m 16s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 39s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
+1 💚	shadedclient	39m 57s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 35s		Maven dependency ordering for patch
+1 💚	mvninstall	1m 8s		the patch passed
+1 💚	compile	17m 34s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javac	17m 34s		the patch passed
+1 💚	compile	16m 39s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	javac	16m 39s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	4m 38s		the patch passed
+1 💚	mvnsite	2m 8s		the patch passed
+1 💚	javadoc	1m 38s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	1m 16s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+0 🆗	spotbugs	0m 31s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	39m 56s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 30s		hadoop-project in the patch passed.
+1 💚	unit	19m 14s		hadoop-common in the patch passed.
+1 💚	asflicense	0m 59s		The patch does not generate ASF License warnings.
		252m 40s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/4/artifact/out/Dockerfile
GITHUB PR	#6060
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux 2facaf69a61b 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 03381d2
Default Java	Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/4/testReport/
Max. process+thread count	2680 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-common U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6060/4/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[pjfanning]

@slfan1989 is this something that we could merge? The code is only used in tests but it makes Dependabot a bit happier and it's more maintainable to use a newer version of the lib.

[slfan1989]

@slfan1989 is this something that we could merge? The code is only used in tests but it makes Dependabot a bit happier and it's more maintainable to use a newer version of the lib.

@pjfanning Can we retrigger compilation again? Should we add this dependency to LICENSE-binary?

[pjfanning]

@slfan1989 is this something that we could merge? The code is only used in tests but it makes Dependabot a bit happier and it's more maintainable to use a newer version of the lib.

@pjfanning Can we retrigger compilation again? Should we add this dependency to LICENSE-binary?

done

[slfan1989]

@slfan1989 is this something that we could merge? The code is only used in tests but it makes Dependabot a bit happier and it's more maintainable to use a newer version of the lib.

@pjfanning Can we retrigger compilation again? Should we add this dependency to LICENSE-binary?

done

LGTM.

[slfan1989]

@Hexiaoqiao @ayushtkn @steveloughran Can you help review this PR? Thank you very much!

[Hexiaoqiao]

LGTM. +1 from my side. Thanks @pjfanning .

[steveloughran]

would need to be tagged as incompatible if sshd ftp jar is now needed in installations which want to use it.

(I'd have moved it to its own module if SSH wasn't apparently used for of the failover detection in some deployments -that's something to ask on the hdfs/yarn lists to see if it still holds)

[pjfanning]

@steveloughran these are test-only-dependencies. Still nice to keep them up to date especially when the old versions have CVEs.

[slfan1989]

@pjfanning I plan to merge this PR into trunk and push it to branch3.4/branch3.4.0 after the compilation results are available.

@steveloughran Do you have any other suggestions?

cc: @Hexiaoqiao

[Hexiaoqiao]

Re-trigger CI, Let's wait what it will say.

[slfan1989]

Re-trigger CI, Let's wait what it will say.

@pjfanning We need to rebase trunk branch.

https://ci-hadoop.apache.org/blue/organizations/jenkins/hadoop-multibranch/detail/PR-6361/6/pipeline/

[2024-01-18T09:33:47.125Z] ERROR: Failed to write github status. Token expired or missing repo:status write?

[slfan1989]

@pjfanning #6472 has been compiled successfully. I merged #6060 to the trunk branch and pushed it to branch-3.4/branch-3.4.0.

cc: @steveloughran @Hexiaoqiao