[
https://issues.apache.org/jira/browse/QPID-8501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17272887#comment-17272887
]
ASF GitHub Bot commented on QPID-8501:
--------------------------------------
asfgit closed pull request #78:
URL: https://github.com/apache/qpid-broker-j/pull/78
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Upgrade bouncycastle component versions
> ---------------------------------------
>
> Key: QPID-8501
> URL: https://issues.apache.org/jira/browse/QPID-8501
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3
> Reporter: Dedeepya
> Priority: Major
> Fix For: qpid-java-broker-8.0.4, qpid-java-broker-7.1.12
>
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.bouncycastle:bcprov-jdk15on|1.66|
> The above package is vulnerable to Comparison Using Wrong Factors. The
> {{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
> checking the password, allowing incorrect passwords to indicate they were
> matching with previously hashed ones that were different.
> [https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
> This is a test dependency, hence QPID broker is not vulnerable to the
> reported issue. Though, we need to upgrade the bouncycastle version in order
> to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
