This Maverick Synergy Java SSH API release contains a critical security update for server users using 3.0.7, client-side proxy support, refactored ed25519 implementation, and minor bug fixes.
This update is a Hotfix Branch release and is currently only available to our commercial Hotfix product subscribers. Jadaptive will push these fixes to the open-source version at a future date according to our Open Source Release Policy.
Proxy Protocol Security
The initial implementation of the Proxy Protocol in version 3.0.7 was left open, which allowed a user with sufficient knowledge to spoof their IP address. The enabled of this feature is now disabled by default and includes the ability to restrict access to the proxy protocol by IP address. We recommend all customers upgrade to this new version to mitigate any risk from this issue.
Support for HTTP and SOCKS proxies in outgoing SSH connection is complete. You can review how to use these in our documentation at:
Ed25519 keys were supported only when a BouncyCastle JCE was present in the classpath in previous releases. We have refactored this to use generic JCE interfaces. We can now use these keys in more environments, specifically Java 15+, which includes the ed25519 algorithm by default.
The full changelog is at: