[
https://issues.apache.org/jira/browse/QPID-8501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dedeepya updated QPID-8501:
---------------------------
Description:
The below components are reported as vulnerabilities and need to be upgraded
||Component Name||Component Version||
|org.bouncycastle:bcprov-jdk15on|1.66|
The above package is vulnerable to Comparison Using Wrong Factors. The
{{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.
[https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
The Qpid Broker does not store passwords and hence wont do the comparisions.
Thus, it is not vulnerable to the reported issue. Though, we need to upgrade
the bouncycastle version in order to stop from being flagged by scanning tools
was:
The below components are reported as vulnerabilities and need to be upgraded
||Component Name||Component Version||
|org.bouncycastle:bcprov-jdk15on|1.66|
The above package is vulnerable to Comparison Using Wrong Factors. The
{{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.
[https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
> Upgrade bouncycastle component versions
> ---------------------------------------
>
> Key: QPID-8501
> URL: https://issues.apache.org/jira/browse/QPID-8501
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3
> Reporter: Dedeepya
> Priority: Major
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.bouncycastle:bcprov-jdk15on|1.66|
> The above package is vulnerable to Comparison Using Wrong Factors. The
> {{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
> checking the password, allowing incorrect passwords to indicate they were
> matching with previously hashed ones that were different.
> [https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
> The Qpid Broker does not store passwords and hence wont do the comparisions.
> Thus, it is not vulnerable to the reported issue. Though, we need to upgrade
> the bouncycastle version in order to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
