[
https://issues.apache.org/jira/browse/KARAF-7240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17400354#comment-17400354
]
ASF GitHub Bot commented on KARAF-7240:
---------------------------------------
skitt commented on a change in pull request #1419:
URL: https://github.com/apache/karaf/pull/1419#discussion_r690307968
##########
File path: pom.xml
##########
@@ -169,7 +169,7 @@
<asm.version>9.2</asm.version>
<javax.annotation.version>1.3.1</javax.annotation.version>
<awaitility.version>3.1.6</awaitility.version>
- <bouncycastle.version>1.66</bouncycastle.version>
+ <bouncycastle.version>1.68</bouncycastle.version>
Review comment:
Can’t we upgrade to 1.69? That’s the current release.
```suggestion
<bouncycastle.version>1.69</bouncycastle.version>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
> Upgrade bcprov 1.68 artifacts to mitigate CVE-2020-28052
> --------------------------------------------------------
>
> Key: KARAF-7240
> URL: https://issues.apache.org/jira/browse/KARAF-7240
> Project: Karaf
> Issue Type: Dependency upgrade
> Components: karaf
> Affects Versions: 4.3.2
> Environment: Apache Karaf - OSGi
> Reporter: Karthick
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> We are using Apache Karaf 4.3.2 in our project and our security scans report
> CVE-2020-28052
> ([https://nvd.nist.gov/vuln/detail/CVE-2020-28|https://nvd.nist.gov/vuln/detail/CVE-2021-26291).]052)
> on our package because Karaf by default packs bcprov and bcpkix 1.66
> versions. The fix for the specified CVE is to use bcprov and bcpkis 1.67 and
> higher. Apache Karaf should update to use later versions of these bouncy
> castle 3pps so that this CVE is mitigated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
