search term:

sbt 1.9.7

Hi everyone. On behalf of the sbt project, I’m happy to announce sbt 1.9.7 patch release is available. Full release note is here - https://github.com/sbt/sbt/releases/tag/v1.9.7

See 1.9.0 release note for the details on 1.9.x features.

Highlights

How to upgrade

The sbt version used for your build must be upgraded by putting the following in project/build.properties:

sbt.version=1.9.7

This mechanism allows that sbt 1.9.7 is used only for the builds that you want.

Download the official sbt runner from, cs setup, SDKMAN, or download from https://github.com/sbt/sbt/releases/tag/v1.9.7 to upgrade the sbt shell script and the launcher.

CVE-2023-46122: Zip Slip (arbitrary file write) vulnerability

See CVE-2023-46122 for the most up to date information. This affects all sbt versions prior to 1.9.7.

Path traversal vulnerabilty was discovered in IO.unzip code, and was reported by Kenji Yoshida (@xuwei-k). This is a very common vulnerability known as Zip Slip, and was found and fixed in plexus-archiver, Ant, etc. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:

+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys

When executed on some path with six levels, IO.unzip could then overwrite a file under /root/. sbt main uses IO.unzip only in pullRemoteCache and Resolvers.remote, however, many projects use IO.unzip(...) directly to implement custom tasks and tests.

This issue was fixed by @eed3si9n in io#360.

Non-determinism from AutoPlugins loading

We’ve known that occasionally some builds non-deterministically flip-flops its behavior when a task or a setting is set by two independent AutoPlugins, i.e. two plugins that neither depends on the other.

sbt 1.9.7 attempts to fix non-determinism of plugin loading order. This was contributed by @eed3si9n in #7404.

Other updates and fixes

Participation

Thanks to everyone who’s helped improve sbt and Zinc by using them, reporting bugs, improving our documentation, porting builds, porting plugins, and submitting and reviewing pull requests.

For anyone interested in helping sbt, there are many avenues for you to help, depending on your interest. If you’re interested, Contributing, “help wanted”, “good first issue”, and Discussions are good starting points.


Scala Center is a non-profit center at EPFL to support education and open source.