You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/08/17 12:11:00 UTC

[jira] [Commented] (KARAF-7240) Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052

    [ https://issues.apache.org/jira/browse/KARAF-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17400354#comment-17400354 ] 

ASF GitHub Bot commented on KARAF-7240:
---------------------------------------

skitt commented on a change in pull request #1419:
URL: https://github.com/apache/karaf/pull/1419#discussion_r690307968



##########
File path: pom.xml
##########
@@ -169,7 +169,7 @@
         <asm.version>9.2</asm.version>
         <javax.annotation.version>1.3.1</javax.annotation.version>
         <awaitility.version>3.1.6</awaitility.version>
-        <bouncycastle.version>1.66</bouncycastle.version>
+        <bouncycastle.version>1.68</bouncycastle.version>

Review comment:
       Can’t we upgrade to 1.69? That’s the current release.
   
   ```suggestion
           <bouncycastle.version>1.69</bouncycastle.version>
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@karaf.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052
> --------------------------------------------------------
>
>                 Key: KARAF-7240
>                 URL: https://issues.apache.org/jira/browse/KARAF-7240
>             Project: Karaf
>          Issue Type: Dependency upgrade
>          Components: karaf
>    Affects Versions: 4.3.2
>         Environment: Apache Karaf - OSGi
>            Reporter: Karthick
>            Assignee: Jean-Baptiste Onofré
>            Priority: Major
>
> We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2020-28052 ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052) on our package because Karaf by default packs bcprov and bcpkix 1.66 versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and higher. Apache Karaf should update to use later versions of these bouncy castle 3pps so that this CVE is mitigated.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)