Nihal Jain created HBASE-28089:
----------------------------------
Summary: Upgrade BouncyCastle to fix CVE-2023-33201
Key: HBASE-28089
URL: https://issues.apache.org/jira/browse/HBASE-28089
Project: HBase
Issue Type: Task
Reporter: Nihal Jain
Assignee: Nihal Jain
HBase has a dependency on BouncyCastle 1.70 which is vulnerable with
[CVE-2023-33201|https://nvd.nist.gov/vuln/detail/CVE-2023-33201]
Advisory: [https://github.com/bcgit/bc-java/wiki/CVE-2023-33201]
This JIRA's goal is to fix the following:
* Upgrade to v1.76, the latest version.
** This requires bcprov-jdk15on to be replaced with bcprov-jdk18on
** See [https://www.bouncycastle.org/latest_releases.html]
***
{quote}*Java Version Details* With the arrival of Java 15. jdk15 is not quite
as unambiguous as it was. The *jdk18on* jars are compiled to work with
*anything* from Java 1.8 up. They are also multi-release jars so do support
some features that were introduced in Java 9, Java 11, and Java 15. If you have
issues with multi-release jars see the jdk15to18 release jars below.
*Packaging Change (users of 1.70 or earlier):* BC 1.71 changed the jdk15on jars
to jdk18on so the base has now moved to Java 8. For earlier JVMs, or
containers/applications that cannot cope with multi-release jars, you should
now use the jdk15to18 jars.
{quote}
* Exclude bcprov-jdk15on from everywhere else to avoid conflicts with
bcprov-jdk18on
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
