[
https://issues.apache.org/jira/browse/QPID-8501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17273529#comment-17273529
]
ASF subversion and git services commented on QPID-8501:
-------------------------------------------------------
Commit 8952114afe3220db60e48a1916df7673ad785160 in qpid-broker-j's branch
refs/heads/8.0.x from Dedeepya T
[ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=8952114 ]
QPID-8501:[Broker-J]Upgrade bouncy castle versions
> Upgrade bouncycastle component versions
> ---------------------------------------
>
> Key: QPID-8501
> URL: https://issues.apache.org/jira/browse/QPID-8501
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3
> Reporter: Dedeepya
> Priority: Major
> Fix For: qpid-java-broker-8.0.4, qpid-java-broker-7.1.12
>
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.bouncycastle:bcprov-jdk15on|1.66|
> The above package is vulnerable to Comparison Using Wrong Factors. The
> {{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
> checking the password, allowing incorrect passwords to indicate they were
> matching with previously hashed ones that were different.
> [https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
> This is a test dependency, hence QPID broker is not vulnerable to the
> reported issue. Though, we need to upgrade the bouncycastle version in order
> to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
