[jira] [Commented] (OMID-257) Upgrade bouncycastle and move from jdk15on to latest jdk18on

Wed, 25 Oct 2023 02:26:08 -0700 


    [ 
https://issues.apache.org/jira/browse/OMID-257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779423#comment-17779423
 ] 

Rajeshbabu Chintaguntla commented on OMID-257:
----------------------------------------------

Merged the PR to master. Thanks for patch [~nihaljain.cs]  and reviews 
[~gjacoby], [~stoty] 

> Upgrade bouncycastle and move from jdk15on to latest jdk18on
> ------------------------------------------------------------
>
>                 Key: OMID-257
>                 URL: https://issues.apache.org/jira/browse/OMID-257
>             Project: Phoenix Omid
>          Issue Type: Sub-task
>            Reporter: Nihal Jain
>            Assignee: Nihal Jain
>            Priority: Major
>
> Omid has a test dependency on BouncyCastle 1.60 which is vulnerable with 
> following CVEs
>  * 
> [CVE-2023-33201|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201]
>  * 
> [CVE-2020-26939|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26939]
>  * 
> [CVE-2020-15522|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522]
> Latest being, 
> [CVE-2023-33201|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201]
>  with advisory: [https://github.com/bcgit/bc-java/wiki/CVE-2023-33201]
> This JIRA's goal is to fix the following:
>  * Upgrade to v1.76, the latest version.
>  ** This requires  bcprov-jdk15on to be replaced with bcprov-jdk18on
>  ** See [https://www.bouncycastle.org/latest_releases.html]
>  *** 
> {quote}*Java Version Details* With the arrival of Java 15. jdk15 is not quite 
> as unambiguous as it was. The *jdk18on* jars are compiled to work with 
> *anything* from Java 1.8 up. They are also multi-release jars so do support 
> some features that were introduced in Java 9, Java 11, and Java 15. If you 
> have issues with multi-release jars see the jdk15to18 release jars below.
> *Packaging Change (users of 1.70 or earlier):* BC 1.71 changed the jdk15on 
> jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or 
> containers/applications that cannot cope with multi-release jars, you should 
> now use the jdk15to18 jars.
> {quote}
>  * Exclude bcprov-jdk15on from everywhere else to avoid conflicts with 
> bcprov-jdk18on



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to