[jira] [Comment Edited] (HBASE-28552) Bump up bouncycastle dependency from 1.76 to 1.78

Thu, 25 Apr 2024 10:50:59 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-28552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17840894#comment-17840894
 ] 

Nikita Pande edited comment on HBASE-28552 at 4/25/24 5:49 PM:
---------------------------------------------------------------

Version 1.78 does fixes following CVEs as mentioned in 
[https://www.bouncycastle.org/releasenotes.html]
{noformat}
Release 1.78 deals with the following CVEs:
CVE-2024-29857 - Importing an EC certificate with specially crafted F2m 
parameters can cause high CPU usage during parameter evaluation.
CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to 
exception processing eliminated.
CVE-2024-30172 - Crafted signature and public key can be used to trigger an 
infinite loop in the Ed25519 verification code.
CVE-2024-301XX - When endpoint identification is enabled in the BCJSSE and an 
SSL socket is not created with an explicit hostname (as happens with 
HttpsURLConnection), hostname verification could be performed against a 
DNS-resolved IP address. This has been fixed.{noformat}


was (Author: JIRAUSER298527):
Version 1.78 does fixes following CVEs as mentioned in 
https://www.bouncycastle.org/releasenotes.html
{noformat}
Release 1.78 deals with the following CVEs:
CVE-2024-29857 - Importing an EC certificate with specially crafted F2m 
parameters can cause high CPU usage during parameter evaluation.
CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to 
exception processing eliminated.CVE-2024-30172 - Crafted signature and public 
key can be used to trigger an infinite loop in the Ed25519 verification code.
CVE-2024-301XX - When endpoint identification is enabled in the BCJSSE and an 
SSL socket is not created with an explicit hostname (as happens with 
HttpsURLConnection), hostname verification could be performed against a 
DNS-resolved IP address. This has been fixed.{noformat}

> Bump up bouncycastle dependency from 1.76 to 1.78
> -------------------------------------------------
>
>                 Key: HBASE-28552
>                 URL: https://issues.apache.org/jira/browse/HBASE-28552
>             Project: HBase
>          Issue Type: Improvement
>            Reporter: Nikita Pande
>            Assignee: Nikita Pande
>            Priority: Major
>              Labels: pull-request-available
>
> org.bouncycastle : bcprov-jdk18on : 1.76 to be upgraded to latest  
> org.bouncycastle : bcprov-jdk18on : 1.78
> Refer [link 
> org.bouncycastle|https://security.snyk.io/package/maven/org.bouncycastle:bcprov-debug-jdk18on]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to