You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/04/25 09:11:08 UTC

[GitHub] [trafficcontrol] QiAnXinCodeSafe opened a new issue #5783: There is a vulnerability in bcpkix-jdk15on 1.66 ,upgrade recommended

QiAnXinCodeSafe opened a new issue #5783:
URL: https://github.com/apache/trafficcontrol/issues/5783


   https://github.com/apache/trafficcontrol/blob/83e5c3ab43b89c18daa26d19192fc819bfcd44c3/traffic_router/connector/pom.xml#L127-L129
   
   CVE-2020-28052
   
   Recommended upgrade version:1.67


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rawlinp commented on issue #5783: There is a vulnerability in bcpkix-jdk15on 1.66 ,upgrade recommended

Posted by GitBox <gi...@apache.org>.
rawlinp commented on issue #5783:
URL: https://github.com/apache/trafficcontrol/issues/5783#issuecomment-827752730


   > A comparison error in OpenBSDBCrypt.checkPassword() can result in an incorrect password been accepted as a valid one. Do not use OpenBSDBCrypt.checkPassword() in either BC 1.65 or BC 1.66. The bug is quite insidious as it can create the impression the code is working. It is not and any usage of OpenBSDBCrypt.checkPassword() for BC 1.65 or BC 1.66 needs to be removed.
   
   TR doesn't use `OpenBSDBCrypt.checkPassword()`; therefore, I don't believe TR is vulnerable to this CVE. However, we should probably upgrade this dependency when we get the chance.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] zrhoffman closed issue #5783: There is a vulnerability in bcpkix-jdk15on 1.66 ,upgrade recommended

Posted by GitBox <gi...@apache.org>.
zrhoffman closed issue #5783:
URL: https://github.com/apache/trafficcontrol/issues/5783


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org