[PR] HADOOP-19154. Upgrade bouncycastle to 1.78.1 due to CVEs (#6755) [hadoop]

Thu, 06 Jun 2024 05:42:57 -0700 


pjfanning opened a new pull request, #6866:
URL: https://github.com/apache/hadoop/pull/6866

   Addresses
   
   * CVE-2024-29857 - Importing an EC certificate with specially crafted F2m 
parameters can cause high CPU usage during parameter evaluation.
   * CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due 
to exception processing eliminated.
   * CVE-2024-30172 - Crafted signature and public key can be used to trigger 
an infinite loop in the Ed25519 verification code.
   * CVE-2024-301XX - When endpoint identification is enabled and an SSL socket 
is not created with an explicit hostname (as happens with HttpsURLConnection), 
hostname verification could be performed against a DNS-resolved IP address.
   
   Contributed by PJ Fanning
   
   <!--
     Thanks for sending a pull request!
       1. If this is your first time, please read our contributor guidelines: 
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
       2. Make sure your PR title starts with JIRA issue id, e.g., 
'HADOOP-17799. Your PR title ...'.
   -->
   
   ### Description of PR
   
   
   ### How was this patch tested?
   
   
   ### For code changes:
   
   - [x] Does the title or this PR starts with the corresponding JIRA issue id 
(e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the 
endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies 
licensed in a way that is compatible for inclusion under [ASF 
2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [x] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, 
`NOTICE-binary` files?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to