bump(ftp): commons-net 3.11.1 (was 3.8.0)

[ennru]

CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default

• https://commons.apache.org/proper/commons-net/security.html
• https://github.com/hierynomus/sshj#release-history

Tests in our FtpsWithProxyStageTest started failing which makes apache/commons-net#90 look suspicious. We had to disable the test.

Refs

• "Unsupported or unrecognized SSL message" for FTPS via proxy https://issues.apache.org/jira/browse/NET-718

[efgpinto]

LGTM

[johanandren]

One of the failing tests was ftps, let's run again and see if it was a random failure

[ennru]

Doesn't look too good javax.net.ssl.SSLException: Unsupported or unrecognized SSL message.

[ennru]

This error is not directly connected to the change of default in 3.9.0, it fails locally with

Start of log messages of test that failed with assertion failed: fishForMessage(OnNext(_) or OnComplete) found unexpected message OnError(javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
	at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451)
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at org.apache.commons.net.ftp.FTPSClient._openDataConnection_(FTPSClient.java:278)
	at org.apache.commons.net.ftp.FTPClient._retrieveFileStream(FTPClient.java:915)
	at org.apache.commons.net.ftp.FTPClient.retrieveFileStream(FTPClient.java:2841)
	at akka.stream.alpakka.ftp.impl.CommonFtpOperations.$anonfun$retrieveFileInputStream$1(CommonFtpOperations.scala:71)
	at scala.util.Try$.apply(Try.scala:210)```

[johanandren]

As in, it was already failing?

[ennru]

As in, it was already failing?

No, as in fails only after the upgrade, but switching back the default the CVE reported doesn't help.

[ennru]

There were not many changes in commons-net between 3.8.0 and 3.9.0:
https://issues.apache.org/jira/browse/NET-642?jql=project%20%3D%20NET%20AND%20fixVersion%20%3D%203.9.0

Tests in our FtpsWithProxyStageTest fail which makes apache/commons-net#90 look suspicious.

[sebastian-alfers]

When trying to reproduce locally, I do get another error:

--> [akka.stream.alpakka.ftp.FtpsWithProxyStageTest: listFiles] Start of log messages of test that failed with assertion failed: expected class akka.stream.testkit.TestSubscriber$OnNext, found class akka.stream.testkit.TestSubscriber$OnError (OnError(java.net.ConnectException: Connection refused (Connection refused)
	at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)

It is the same on master so I assume the setup is broken on my end. @johanandren are you able to reproduce the error from this build? Locally, it is just:

./scripts/ftp-servers.sh

and then

sbt "ftp/testOnly *.FtpsWithProxyStageTest"

[johanandren]

Waiting for upstream issue https://issues.apache.org/jira/browse/NET-718

[ennru]

Bumped commons-net to 3.10.0 but according to their issue tracker the problem is not fixed.

[ennru]

When getting back to this, notice even

• bump: sshj 0.35.0 (was 0.33.0) #3069

[ennru]

sshj already bumped with

• bump: sshj 0.39.0 (was 0.35.0) #3258

[johanandren]

LGTM

[johanandren]

Would be good to add a comment explaining why it is ignored