You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Tilman Hausherr (Jira)" <ji...@apache.org> on 2020/02/19 04:57:00 UTC
[jira] [Comment Edited] (PDFBOX-4779) PDFBOX: Update Bouncy Castle
Crypto to version 1.64
[ https://issues.apache.org/jira/browse/PDFBOX-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039700#comment-17039700 ]
Tilman Hausherr edited comment on PDFBOX-4779 at 2/19/20 4:56 AM:
------------------------------------------------------------------
We've done it for the trunk, but not for the 2.* branch. I'm not sure if this is OK or not.
CC [~lehmi]
(And this would also require to update the website upon release)
Of course a user can always use the newer BC version in its own pom.xml, there are no API incompatibilities AFAIK.
was (Author: tilman):
We've done it for the trunk, but not for the 2.* branch. I'm not sure if this is OK or not. (And this would also require to update the website upon release)
CC [~lehmi]
Of course a user can always use the newer BC version in its own pom.xml, there are no API incompatibilities AFAIK.
> PDFBOX: Update Bouncy Castle Crypto to version 1.64
> ---------------------------------------------------
>
> Key: PDFBOX-4779
> URL: https://issues.apache.org/jira/browse/PDFBOX-4779
> Project: PDFBox
> Issue Type: Improvement
> Components: Crypto
> Affects Versions: 2.0.18
> Reporter: Nick Gorbarov
> Priority: Major
> Labels: crypto
>
> Please update Bouncy Castle Crypto to verison 1.64. It contains critical issue:
> *CVE-2019-17359*: A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. We recommend upgrading to 1.64, particularly where an application might be parsing untrusted ASN.1 data from third parties.
>
> Link to Bouncy Castle Crypto: [https://www.bouncycastle.org/releasenotes.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org