[
https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned CXF-7757:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Upgrade bouncycastle dependency to fix vulnerability
> ----------------------------------------------------
>
> Key: CXF-7757
> URL: https://issues.apache.org/jira/browse/CXF-7757
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.2.4
> Reporter: Dominique Jacques-Brissette
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Apache CXF has a dependency on org.bouncycastle:[email protected] which has
> a vulnerability known as CVE-2016-1000338
> (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338)
> We discovered it in our projects via Snyk
> https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340
> The whole dependency chain is as follows
> org.apache.cxf:[email protected] >
> org.apache.wss4j:[email protected] >
> org.apache.wss4j:[email protected] >
> org.apache.wss4j:[email protected] >
> org.opensaml:[email protected] >
> org.opensaml:[email protected] > org.opensaml:[email protected]
> > org.opensaml:[email protected] >
> org.opensaml:[email protected] >
> org.opensaml:[email protected] > org.cryptacular:[email protected]
> > *org.bouncycastle:[email protected]*
> For example, if the transitive dependency cryptacular was at 1.2.2,
> then org.bouncycastle:[email protected] would be used and the
> vulnerability would be patched.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
