You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/06/12 09:11:00 UTC
[jira] [Assigned] (CXF-7757) Upgrade bouncycastle dependency to fix
vulnerability
[ https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-7757:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Upgrade bouncycastle dependency to fix vulnerability
> ----------------------------------------------------
>
> Key: CXF-7757
> URL: https://issues.apache.org/jira/browse/CXF-7757
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.2.4
> Reporter: Dominique Jacques-Brissette
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Apache CXF has a dependency on org.bouncycastle:bcprov-jdk15on@1.54 which has a vulnerability known as CVE-2016-1000338 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338)
> We discovered it in our projects via Snyk https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340
> The whole dependency chain is as follows
> org.apache.cxf:cxf-rt-ws-security@3.2.4 > org.apache.wss4j:wss4j-ws-security-policy-stax@2.2.1 > org.apache.wss4j:wss4j-ws-security-stax@2.2.1 > org.apache.wss4j:wss4j-ws-security-common@2.2.1 > org.opensaml:opensaml-xacml-saml-impl@3.3.0 > org.opensaml:opensaml-saml-impl@3.3.0 > org.opensaml:opensaml-soap-impl@3.3.0 > org.opensaml:opensaml-soap-api@3.3.0 > org.opensaml:opensaml-xmlsec-api@3.3.0 > org.opensaml:opensaml-security-api@3.3.0 > org.cryptacular:cryptacular@1.1.1 > *org.bouncycastle:bcprov-jdk15on@1.54*
> For example, if the transitive dependency cryptacular was at 1.2.2, then org.bouncycastle:bcprov-jdk15on@1.59 would be used and the vulnerability would be patched.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)