[
https://issues.apache.org/jira/browse/PDFBOX-4779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039700#comment-17039700
]
Tilman Hausherr edited comment on PDFBOX-4779 at 2/19/20 4:56 AM:
------------------------------------------------------------------
We've done it for the trunk, but not for the 2.* branch. I'm not sure if this
is OK or not.
CC [~lehmi]
(And this would also require to update the website upon release)
Of course a user can always use the newer BC version in its own pom.xml, there
are no API incompatibilities AFAIK.
was (Author: tilman):
We've done it for the trunk, but not for the 2.* branch. I'm not sure if this
is OK or not. (And this would also require to update the website upon release)
CC [~lehmi]
Of course a user can always use the newer BC version in its own pom.xml, there
are no API incompatibilities AFAIK.
> PDFBOX: Update Bouncy Castle Crypto to version 1.64
> ---------------------------------------------------
>
> Key: PDFBOX-4779
> URL: https://issues.apache.org/jira/browse/PDFBOX-4779
> Project: PDFBox
> Issue Type: Improvement
> Components: Crypto
> Affects Versions: 2.0.18
> Reporter: Nick Gorbarov
> Priority: Major
> Labels: crypto
>
> Please update Bouncy Castle Crypto to verison 1.64. It contains critical
> issue:
> *CVE-2019-17359*: A change to the ASN.1 parser in 1.63 introduced a
> regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data.
> We recommend upgrading to 1.64, particularly where an application might be
> parsing untrusted ASN.1 data from third parties.
>
> Link to Bouncy Castle Crypto: [https://www.bouncycastle.org/releasenotes.html]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
