You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Jonathan S Fisher (JIRA)" <ji...@apache.org> on 2017/05/30 20:49:04 UTC
[jira] [Updated] (TOMEE-2042) Force upgrade of bcprov to fix 10
CVEs
[ https://issues.apache.org/jira/browse/TOMEE-2042?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jonathan S Fisher updated TOMEE-2042:
-------------------------------------
Description:
https://github.com/apache/tomee/pull/68
bcprov is included as a transient dependency for openejb-cxf module. This forces a secure version. I plan on logging bugs for wss4j and opensaml to upgrade the dependency.
[INFO] +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.1.9:compile
[INFO] | \- org.apache.wss4j:wss4j-ws-security-common:jar:2.1.9:compile
[INFO] | +- org.apache.santuario:xmlsec:jar:2.0.6:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] | +- org.opensaml:opensaml-saml-impl:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-profile-api:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-core:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-saml-api:jar:3.1.1:compile
[INFO] | | | +- org.opensaml:opensaml-xmlsec-api:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-soap-api:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-security-impl:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-security-api:jar:3.1.1:compile
[INFO] | | | +- org.cryptacular:cryptacular:jar:1.0:compile
[INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.51:compile
It contains the following CVEs:
CVE-2016-1000341
CVE-2016-1000346
CVE-2016-1000340
CVE-2016-1000344
CVE-2016-1000352
CVE-2016-1000338
CVE-2016-1000339
CVE-2016-1000342
CVE-2016-1000343
CVE-2016-1000345
was:
https://github.com/apache/tomee/pull/68
bcprov is included as a transient dependency for openejb-cxf module. This forces a secure version. I plan on logging bugs for wss4j and opensaml to upgrade the dependency.
[INFO] +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.1.9:compile
[INFO] | \- org.apache.wss4j:wss4j-ws-security-common:jar:2.1.9:compile
[INFO] | +- org.apache.santuario:xmlsec:jar:2.0.6:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] | +- org.opensaml:opensaml-saml-impl:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-profile-api:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-core:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-saml-api:jar:3.1.1:compile
[INFO] | | | +- org.opensaml:opensaml-xmlsec-api:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-soap-api:jar:3.1.1:compile
[INFO] | | +- org.opensaml:opensaml-security-impl:jar:3.1.1:compile
[INFO] | | | \- org.opensaml:opensaml-security-api:jar:3.1.1:compile
[INFO] | | | +- org.cryptacular:cryptacular:jar:1.0:compile
[INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.51:compile
It contains the following CVEs:
CVE-2016-1000341
CVE-2016-1000346
CVE-2016-1000340
CVE-2016-1000344
CVE-2016-1000352
CVE-2016-1000338
CVE-2016-1000339
CVE-2016-1000342
CVE-2016-1000343
CVE-2016-1000345
> Force upgrade of bcprov to fix 10 CVEs
> --------------------------------------
>
> Key: TOMEE-2042
> URL: https://issues.apache.org/jira/browse/TOMEE-2042
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 7.0.3
> Reporter: Jonathan S Fisher
>
> https://github.com/apache/tomee/pull/68
> bcprov is included as a transient dependency for openejb-cxf module. This forces a secure version. I plan on logging bugs for wss4j and opensaml to upgrade the dependency.
> [INFO] +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.1.9:compile
> [INFO] | \- org.apache.wss4j:wss4j-ws-security-common:jar:2.1.9:compile
> [INFO] | +- org.apache.santuario:xmlsec:jar:2.0.6:compile
> [INFO] | | \- commons-codec:commons-codec:jar:1.10:compile
> [INFO] | +- org.opensaml:opensaml-saml-impl:jar:3.1.1:compile
> [INFO] | | +- org.opensaml:opensaml-profile-api:jar:3.1.1:compile
> [INFO] | | | \- org.opensaml:opensaml-core:jar:3.1.1:compile
> [INFO] | | +- org.opensaml:opensaml-saml-api:jar:3.1.1:compile
> [INFO] | | | +- org.opensaml:opensaml-xmlsec-api:jar:3.1.1:compile
> [INFO] | | | \- org.opensaml:opensaml-soap-api:jar:3.1.1:compile
> [INFO] | | +- org.opensaml:opensaml-security-impl:jar:3.1.1:compile
> [INFO] | | | \- org.opensaml:opensaml-security-api:jar:3.1.1:compile
> [INFO] | | | +- org.cryptacular:cryptacular:jar:1.0:compile
> [INFO] | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.51:compile
> It contains the following CVEs:
> CVE-2016-1000341
> CVE-2016-1000346
> CVE-2016-1000340
> CVE-2016-1000344
> CVE-2016-1000352
> CVE-2016-1000338
> CVE-2016-1000339
> CVE-2016-1000342
> CVE-2016-1000343
> CVE-2016-1000345
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)