You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Karthick (Jira)" <ji...@apache.org> on 2021/08/10 06:54:00 UTC

[jira] [Updated] (KARAF-7240) Upgrade bcprov artifacts to mitigate CVE-2020-28052

     [ https://issues.apache.org/jira/browse/KARAF-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Karthick updated KARAF-7240:
----------------------------
    Description: We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2020-28052 ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052) on our package because Karaf by default packs bcprov and bcpkix 1.66 versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and higher. Apache Karaf should update to use later versions of these bouncy castle 3pps so that this CVE is mitigated.  (was: We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2021-26291 ([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]) on our package because Karaf by default packs maven 3.6.x. The fix for the specified CVE is Maven 3.8.1+. ([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf should update to use later versions of Maven resolver etc so that this vulnerability is mitigated.)

> Upgrade bcprov artifacts to mitigate CVE-2020-28052
> ---------------------------------------------------
>
>                 Key: KARAF-7240
>                 URL: https://issues.apache.org/jira/browse/KARAF-7240
>             Project: Karaf
>          Issue Type: Task
>          Components: karaf
>    Affects Versions: 4.3.2
>         Environment: Apache Karaf - OSGi
>            Reporter: Karthick
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>
> We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2020-28052 ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052) on our package because Karaf by default packs bcprov and bcpkix 1.66 versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and higher. Apache Karaf should update to use later versions of these bouncy castle 3pps so that this CVE is mitigated.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)