[
https://issues.apache.org/jira/browse/NIFI-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15095291#comment-15095291
]
Andy LoPresto commented on NIFI-1324:
-------------------------------------
BC 1.54 became available during this development. It resolves a security issue
(that we are not currently susceptible to) and does not change the API. I
upgraded to BC 1.54 in PR 170.
{quote}
Release 1.54 is now available for download.
This is primarily a security release concerning (D)TLS 1.2. Motivated by
CVE-2015-7575, we have added validation that the signature algorithm received
in DigitallySigned structures is actually one of those offered (in
signature_algorithms extension or CertificateRequest). With our default TLS
configuration, we do not believe there is an exploitable vulnerability in any
earlier releases. Users that are customizing the signature_algorithms
extension, or running a server supporting client authentication, are advised to
double-check that they are not offering any signature algorithms involving MD5.
In terms of new features, the CMS API now supports the PKCS#7 ANY type for
encapsulated content, RFC 3370, Camellia, and SEED are now supported for key
agreement in CMS, and CTR/SIC modes now provide an explicit internal counter if
initialised with a short IV. TLS/DTLS now includes a non-blocking API. The
Blake2b digests are now actually supported in the provider (sorry, it got
missed in 1.53...) and ClassCastException issues with Cipher.getOutputSize()
for IES ciphers have been fixed. Finally, in accordance with advice from the
algorithm's authors, Serpent has been modified to conform to the NESSIE vector
suite, the previous version of Serpent, which conforms to the NIST submission
format, is now called Tnepres.
Further details on other additions and bug fixes can be found in the release
notes file accompanying the release.
{quote}
> Upgrade to correct version of BouncyCastle
> ------------------------------------------
>
> Key: NIFI-1324
> URL: https://issues.apache.org/jira/browse/NIFI-1324
> Project: Apache NiFi
> Issue Type: Task
> Components: Core Framework
> Affects Versions: 0.4.1
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: dependencies, security
> Fix For: 0.5.0
>
>
> The existing Maven dependencies are for
> {{org.bouncycastle:bcprov-jdk16:1.46}} and
> {{org.bouncycastle:bcpg-jdk16:1.46}}. While {{jdk16}} looks "newer" than
> {{jdk15on}}, this was actually a legacy mistake on the part of BouncyCastle
> versioning. The correct and current version of BouncyCastle is {{jdk15on}},
> as evidenced by the age of the releases:
> * jdk15on: 03/2012 - 10/2015 "The Bouncy Castle Crypto package is a Java
> implementation of cryptographic algorithms. This jar contains JCE provider
> and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to
> JDK 1.8." (http://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
> * jdk16: 11/2007 - 02/2011 "The Bouncy Castle Crypto package is a Java
> implementation of cryptographic algorithms. This jar contains JCE provider
> and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6."
> (http://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk16)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
