This is an automated email from the ASF dual-hosted git repository. JinwooHwang pushed a commit to branch support/2.0 in repository https://gitbox.apache.org/repos/asf/geode.git
commit b0f90024a1663e2e394a8a1110bb7da60f2ab92d Author: Jinwoo Hwang <[email protected]> AuthorDate: Tue May 12 08:07:15 2026 -0400 GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 1.84 (#8008) Pin org.bouncycastle:bcprov-jdk18on (transitive via org.apache.shiro:shiro-crypto-hash:2.1.0) to 1.84 to remediate CVE-2026-0636 (LDAP Injection), CVE-2026-5598 (Covert Timing Channel in FrodoEngine), and CVE-2025-14813 (broken GOSTCTR in G3413CTRBlockCipher), all of which affect 1.82 and are fixed in 1.84. - Add bouncycastle.version=1.84 and api constraint in DependencyConstraints.groovy - Update integration-test classpath fixtures to reference bcprov-jdk18on-1.84.jar (cherry picked from commit 3f3dbb996368065f7c23aeb1688277e984b55eb1) --- .../org/apache/geode/gradle/plugins/DependencyConstraints.groovy | 4 ++++ geode-assembly/src/integrationTest/resources/assembly_content.txt | 2 +- .../src/integrationTest/resources/gfsh_dependency_classpath.txt | 2 +- .../src/integrationTest/resources/dependency_classpath.txt | 2 +- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy index ec9f9f84c7..d71e6717ba 100644 --- a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy +++ b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy @@ -50,6 +50,8 @@ class DependencyConstraints { deps.put("log4j-slf4j2-impl.version", "2.23.1") deps.put("micrometer.version", "1.14.0") deps.put("shiro.version", "2.1.0") + // GEODE-10583: Pin Bouncy Castle (transitive via shiro-crypto-hash) to a fixed version + deps.put("bouncycastle.version", "1.84") deps.put("slf4j-api.version", "2.0.17") deps.put("jakarta.transaction-api.version", "2.0.1") deps.put("jboss-modules.version", "1.11.0.Final") @@ -179,6 +181,8 @@ class DependencyConstraints { api(group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.13') api(group: 'org.apache.httpcomponents', name: 'httpcore', version: '4.4.15') api(group: 'org.apache.shiro', name: 'shiro-core', version: get('shiro.version')) + // GEODE-10583: Pin Bouncy Castle provider (pulled in via shiro-crypto-hash) to 1.84 + api(group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: get('bouncycastle.version')) api(group: 'org.assertj', name: 'assertj-core', version: '3.22.0') api(group: 'org.awaitility', name: 'awaitility', version: '4.2.0') api(group: 'org.buildobjects', name: 'jproc', version: '2.8.0') diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt index 786c91cbf2..c769db89d0 100644 --- a/geode-assembly/src/integrationTest/resources/assembly_content.txt +++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt @@ -923,7 +923,7 @@ lib/antlr-runtime-3.5.2.jar lib/asm-9.9.1.jar lib/asm-commons-9.9.1.jar lib/asm-tree-9.9.1.jar -lib/bcprov-jdk18on-1.82.jar +lib/bcprov-jdk18on-1.84.jar lib/classgraph-4.8.147.jar lib/classmate-1.5.1.jar lib/commons-beanutils-1.11.0.jar diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt index c41d8f1344..b39d44afd5 100644 --- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt +++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt @@ -142,4 +142,4 @@ jboss-logging-3.4.3.Final.jar classmate-1.5.1.jar jakarta.el-api-5.0.0.jar jakarta.inject-api-2.0.1.jar -bcprov-jdk18on-1.82.jar +bcprov-jdk18on-1.84.jar diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt index 2071d8d928..6b665995a6 100644 --- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt +++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt @@ -124,7 +124,7 @@ asm-commons-9.9.1.jar asm-tree-9.9.1.jar asm-9.9.1.jar txw2-4.0.2.jar -bcprov-jdk18on-1.82.jar +bcprov-jdk18on-1.84.jar reactor-core-3.6.10.jar jline-console-3.26.3.jar jline-builtins-3.26.3.jar
