[
https://issues.apache.org/jira/browse/KARAF-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karthick updated KARAF-7240:
----------------------------
Description: We are using Apache Karaf 4.3.2 in our project and our
security scans report CVE-2020-28052
([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052)
on our package because Karaf by default packs bcprov and bcpkix 1.66 versions.
The fix for the specified CVE is to use bcprov and bcpkis 1.67 and higher.
Apache Karaf should update to use later versions of these bouncy castle 3pps so
that this CVE is mitigated. (was: We are using Apache Karaf 4.3.2 in our
project and our security scans report CVE-2021-26291
([https://nvd.nist.gov/vuln/detail/CVE-2021-26291|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).])
on our package because Karaf by default packs maven 3.6.x. The fix for the
specified CVE is Maven 3.8.1+.
([https://maven.apache.org/docs/3.8.1/release-notes.html]) . Apache Karaf
should update to use later versions of Maven resolver etc so that this
vulnerability is mitigated.)
> Upgrade bcprov artifacts to mitigate CVE-2020-28052
> ---------------------------------------------------
>
> Key: KARAF-7240
> URL: https://issues.apache.org/jira/browse/KARAF-7240
> Project: Karaf
> Issue Type: Task
> Components: karaf
> Affects Versions: 4.3.2
> Environment: Apache Karaf - OSGi
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> We are using Apache Karaf 4.3.2 in our project and our security scans report
> CVE-2020-28052
> ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052)
> on our package because Karaf by default packs bcprov and bcpkix 1.66
> versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and
> higher. Apache Karaf should update to use later versions of these bouncy
> castle 3pps so that this CVE is mitigated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
