You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2021/08/10 07:01:00 UTC
[jira] [Commented] (KARAF-7240) Upgrade bcprov artifacts to
mitigate CVE-2020-28052
[ https://issues.apache.org/jira/browse/KARAF-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17396482#comment-17396482 ]
Jean-Baptiste Onofré commented on KARAF-7240:
---------------------------------------------
Yes, it's already planned now that I've created the corresponding SMX bundle.
> Upgrade bcprov artifacts to mitigate CVE-2020-28052
> ---------------------------------------------------
>
> Key: KARAF-7240
> URL: https://issues.apache.org/jira/browse/KARAF-7240
> Project: Karaf
> Issue Type: Task
> Components: karaf
> Affects Versions: 4.3.2
> Environment: Apache Karaf - OSGi
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> We are using Apache Karaf 4.3.2 in our project and our security scans report CVE-2020-28052 ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052) on our package because Karaf by default packs bcprov and bcpkix 1.66 versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and higher. Apache Karaf should update to use later versions of these bouncy castle 3pps so that this CVE is mitigated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)