(geode) branch develop updated: GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 1.84 (#8008)

Tue, 12 May 2026 05:07:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

JinwooHwang pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode.git


The following commit(s) were added to refs/heads/develop by this push:
     new 3f3dbb9963 GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 
1.84 (#8008)
3f3dbb9963 is described below

commit 3f3dbb996368065f7c23aeb1688277e984b55eb1
Author: Jinwoo Hwang <[email protected]>
AuthorDate: Tue May 12 08:07:15 2026 -0400

    GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 1.84 (#8008)
    
    Pin org.bouncycastle:bcprov-jdk18on (transitive via 
org.apache.shiro:shiro-crypto-hash:2.1.0) to 1.84 to remediate CVE-2026-0636 
(LDAP Injection), CVE-2026-5598 (Covert Timing Channel in FrodoEngine), and 
CVE-2025-14813 (broken GOSTCTR in G3413CTRBlockCipher), all of which affect 
1.82 and are fixed in 1.84.
    
    - Add bouncycastle.version=1.84 and api constraint in 
DependencyConstraints.groovy
    - Update integration-test classpath fixtures to reference 
bcprov-jdk18on-1.84.jar
---
 .../org/apache/geode/gradle/plugins/DependencyConstraints.groovy      | 4 ++++
 geode-assembly/src/integrationTest/resources/assembly_content.txt     | 2 +-
 .../src/integrationTest/resources/gfsh_dependency_classpath.txt       | 2 +-
 .../src/integrationTest/resources/dependency_classpath.txt            | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
index ec9f9f84c7..d71e6717ba 100644
--- 
a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
+++ 
b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -50,6 +50,8 @@ class DependencyConstraints {
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
     deps.put("shiro.version", "2.1.0")
+    // GEODE-10583: Pin Bouncy Castle (transitive via shiro-crypto-hash) to a 
fixed version
+    deps.put("bouncycastle.version", "1.84")
     deps.put("slf4j-api.version", "2.0.17")
     deps.put("jakarta.transaction-api.version", "2.0.1")
     deps.put("jboss-modules.version", "1.11.0.Final")
@@ -179,6 +181,8 @@ class DependencyConstraints {
         api(group: 'org.apache.httpcomponents', name: 'httpclient', version: 
'4.5.13')
         api(group: 'org.apache.httpcomponents', name: 'httpcore', version: 
'4.4.15')
         api(group: 'org.apache.shiro', name: 'shiro-core', version: 
get('shiro.version'))
+        // GEODE-10583: Pin Bouncy Castle provider (pulled in via 
shiro-crypto-hash) to 1.84
+        api(group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: 
get('bouncycastle.version'))
         api(group: 'org.assertj', name: 'assertj-core', version: '3.22.0')
         api(group: 'org.awaitility', name: 'awaitility', version: '4.2.0')
         api(group: 'org.buildobjects', name: 'jproc', version: '2.8.0')
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt 
b/geode-assembly/src/integrationTest/resources/assembly_content.txt
index 786c91cbf2..c769db89d0 100644
--- a/geode-assembly/src/integrationTest/resources/assembly_content.txt
+++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -923,7 +923,7 @@ lib/antlr-runtime-3.5.2.jar
 lib/asm-9.9.1.jar
 lib/asm-commons-9.9.1.jar
 lib/asm-tree-9.9.1.jar
-lib/bcprov-jdk18on-1.82.jar
+lib/bcprov-jdk18on-1.84.jar
 lib/classgraph-4.8.147.jar
 lib/classmate-1.5.1.jar
 lib/commons-beanutils-1.11.0.jar
diff --git 
a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt 
b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
index c41d8f1344..b39d44afd5 100644
--- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
+++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -142,4 +142,4 @@ jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
 jakarta.el-api-5.0.0.jar
 jakarta.inject-api-2.0.1.jar
-bcprov-jdk18on-1.82.jar
+bcprov-jdk18on-1.84.jar
diff --git 
a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt 
b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
index 2071d8d928..6b665995a6 100644
--- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
+++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -124,7 +124,7 @@ asm-commons-9.9.1.jar
 asm-tree-9.9.1.jar
 asm-9.9.1.jar
 txw2-4.0.2.jar
-bcprov-jdk18on-1.82.jar
+bcprov-jdk18on-1.84.jar
 reactor-core-3.6.10.jar
 jline-console-3.26.3.jar
 jline-builtins-3.26.3.jar

Reply via email to