kemitix opened a new pull request #1039: [WIP] [Security] Bump bouncycastle.version from 1.51 to 1.60 URL: https://github.com/apache/brooklyn-server/pull/1039 Bumps `bouncycastle.version` from 1.51 to 1.60. Updates `bcprov-ext-jdk15on` from 1.51 to 1.60. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/3a59870b-28b3-4b6b-86b0-9629ebe9de40).* > **[CVE-2015-6644] Information disclosure** > > An information disclosure vulnerability in Bouncy Castle could enable a local malicious application to gain access to user?s private information > > > > -- [source.android.com](https://source.android.com/security/bulletin/2016-01-01#information_disclosure_vulnerability_in_bouncy_castle) > > Affected versions: < 1.55.0 </details> <details> <summary>Changelog</summary> *Sourced from [bcprov-ext-jdk15on's changelog](https://github.com/bcgit/bc-java/blob/master/docs/releasenotes.html).* > <html> > <head> > <title>Bouncy Castle Crypto Package - Release Notes</title> > </head> > > <body bgcolor="#ffffff" text="#000000#"> > > <center> > <h1>Bouncy Castle Crypto Package - Release Notes</h1> > <font size=1> > <pre> > </pre> > </font> > </center> > <h2>1.0 Introduction</h2> > <p> > The Bouncy Castle Crypto package is a Java implementation of > cryptographic algorithms. The package is organised so that it > contains a light-weight API suitable for use in any environment > (including the J2ME) with the additional infrastructure > to conform the algorithms to the JCE framework. > </p> > <h2>2.0 Release History</h2> > > > <h3>2.1.1 Version</h3> > Release: 1.61<br/> > Date: 2018, > <h3>2.1.2 Defects Fixed</h3> > <ul> > <li>Use of EC named curves could be lost if keys were constructed via a key factory and algorithm parameters. This has been fixed.</li> > <li>RFC3211WrapEngine would not properly handle messages longer than 127 bytes. This has been fixed.</li> > <li>The JCE implementations for RFC3211 would not returned null AlgorithmParameters. This has been fixed.</li> > </ul> > <h3>2.1.3 Additional Features and Functionality</h3> > <ul> > <li>TLS: Finalised support for RFC 8442 cipher suites.</li> > </ul> > > <h3>2.2.1 Version</h3> > Release: 1.60<br/> > Date: 2018, June 30 > <h3>2.2.2 Defects Fixed</h3> > <ul> > <li>Base64/UrlBase64 would throw an exception on a zero length string. This has been fixed.</li> > <li>Base64/UrlBase64 would throw an exception if there was whitespace in the last 4 characters. This has been fixed.</li> > <li>The SM2 Signature JCE class now properly resets of Signature.sign() is called.</li> > <li>XMSS applies further validation to deserialisation of the BDS tree so that failure occurs as soon as tampering is detected (see CVE below).</li> > <li>An off by one error in the JsseDefaultHostnameAuthorizer isValidNameMatch method has been fixed.</li> > <li>BCJSSE: Return empty byte array instead of null, for the null session ID.</li> ></table> ... (truncated) </details> <details> <summary>Commits</summary> - See full diff in [compare view](https://github.com/bcgit/bc-java/commits) </details> <br /> Updates `bcpkix-jdk15on` from 1.51 to 1.60 <details> <summary>Changelog</summary> *Sourced from [bcpkix-jdk15on's changelog](https://github.com/bcgit/bc-java/blob/master/docs/releasenotes.html).* > <html> > <head> > <title>Bouncy Castle Crypto Package - Release Notes</title> > </head> > > <body bgcolor="#ffffff" text="#000000#"> > > <center> > <h1>Bouncy Castle Crypto Package - Release Notes</h1> > <font size=1> > <pre> > </pre> > </font> > </center> > <h2>1.0 Introduction</h2> > <p> > The Bouncy Castle Crypto package is a Java implementation of > cryptographic algorithms. The package is organised so that it > contains a light-weight API suitable for use in any environment > (including the J2ME) with the additional infrastructure > to conform the algorithms to the JCE framework. > </p> > <h2>2.0 Release History</h2> > > > <h3>2.1.1 Version</h3> > Release: 1.61<br/> > Date: 2018, > <h3>2.1.2 Defects Fixed</h3> > <ul> > <li>Use of EC named curves could be lost if keys were constructed via a key factory and algorithm parameters. This has been fixed.</li> > <li>RFC3211WrapEngine would not properly handle messages longer than 127 bytes. This has been fixed.</li> > <li>The JCE implementations for RFC3211 would not returned null AlgorithmParameters. This has been fixed.</li> > </ul> > <h3>2.1.3 Additional Features and Functionality</h3> > <ul> > <li>TLS: Finalised support for RFC 8442 cipher suites.</li> > </ul> > > <h3>2.2.1 Version</h3> > Release: 1.60<br/> > Date: 2018, June 30 > <h3>2.2.2 Defects Fixed</h3> > <ul> > <li>Base64/UrlBase64 would throw an exception on a zero length string. This has been fixed.</li> > <li>Base64/UrlBase64 would throw an exception if there was whitespace in the last 4 characters. This has been fixed.</li> > <li>The SM2 Signature JCE class now properly resets of Signature.sign() is called.</li> > <li>XMSS applies further validation to deserialisation of the BDS tree so that failure occurs as soon as tampering is detected (see CVE below).</li> > <li>An off by one error in the JsseDefaultHostnameAuthorizer isValidNameMatch method has been fixed.</li> > <li>BCJSSE: Return empty byte array instead of null, for the null session ID.</li> ></table> ... (truncated) </details> <details> <summary>Commits</summary> - See full diff in [compare view](https://github.com/bcgit/bc-java/commits) </details>
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
