(pulsar) branch branch-4.0 updated: [fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address CVE-2025-8916 (#24650)

Thu, 21 Aug 2025 16:53:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-4.0 by this push:
     new 2d50d168c19 [fix][sec] Upgrade bouncycastle bcpkix-fips version to 
1.79 to address CVE-2025-8916 (#24650)
2d50d168c19 is described below

commit 2d50d168c19d6a63f74e8eb0b081a1722075fdc4
Author: Lari Hotari <[email protected]>
AuthorDate: Wed Aug 20 18:05:42 2025 +0300

    [fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address 
CVE-2025-8916 (#24650)
---
 bouncy-castle/bc/LICENSE                         |  2 +-
 bouncy-castle/bc/pom.xml                         |  2 --
 bouncy-castle/bcfips/LICENSE                     |  4 ++--
 distribution/server/src/assemble/LICENSE.bin.txt |  4 ++--
 distribution/shell/src/assemble/LICENSE.bin.txt  |  4 ++--
 pom.xml                                          | 17 +++++++++++++----
 6 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/bouncy-castle/bc/LICENSE b/bouncy-castle/bc/LICENSE
index c95d33d3d1f..9cbf445cda2 100644
--- a/bouncy-castle/bc/LICENSE
+++ b/bouncy-castle/bc/LICENSE
@@ -205,5 +205,5 @@
 This projects includes binary packages with the following licenses:
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.81.jar
     - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
diff --git a/bouncy-castle/bc/pom.xml b/bouncy-castle/bc/pom.xml
index e4e5d78da78..3662a60e250 100644
--- a/bouncy-castle/bc/pom.xml
+++ b/bouncy-castle/bc/pom.xml
@@ -42,13 +42,11 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk18on</artifactId>
-      <version>${bouncycastle.version}</version>
     </dependency>
 
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-ext-jdk18on</artifactId>
-      <version>${bouncycastle.version}</version>
     </dependency>
   </dependencies>
 
diff --git a/bouncy-castle/bcfips/LICENSE b/bouncy-castle/bcfips/LICENSE
index f770bab992f..b493804d192 100644
--- a/bouncy-castle/bcfips/LICENSE
+++ b/bouncy-castle/bcfips/LICENSE
@@ -205,5 +205,5 @@
 This projects includes binary packages with the following licenses:
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-fips-1.0.1.jar
-    - org.bouncycastle-bc-fips-1.0.1.jar
+    - org.bouncycastle-bcpkix-fips-1.0.7.jar
+    - org.bouncycastle-bc-fips-1.0.2.6.jar
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 34ad17d2075..bef3ad023b7 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -619,9 +619,9 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.81.jar
     - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
-    - org.bouncycastle-bcutil-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcutil-jdk18on-1.81.jar
 
 ------------------------
 
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt 
b/distribution/shell/src/assemble/LICENSE.bin.txt
index 304e7309dcb..24b906b19e2 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -474,9 +474,9 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - bcpkix-jdk18on-1.78.1.jar
+    - bcpkix-jdk18on-1.81.jar
     - bcprov-jdk18on-1.78.1.jar
-    - bcutil-jdk18on-1.78.1.jar
+    - bcutil-jdk18on-1.81.jar
 
 ------------------------
 
diff --git a/pom.xml b/pom.xml
index a68c7432fb8..9001dd2063b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -196,9 +196,12 @@ flexible messaging model and an intuitive client 
API.</description>
     <slf4j.version>2.0.13</slf4j.version>
     <commons.collections4.version>4.4</commons.collections4.version>
     <log4j2.version>2.23.1</log4j2.version>
-    <bouncycastle.version>1.78.1</bouncycastle.version>
+    <!-- bouncycastle dependencies aren't necessarily aligned -->
+    
<bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version>
+    
<bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version>
+    
<bouncycastle.bcprov-ext-jdk18on.version>1.78.1</bouncycastle.bcprov-ext-jdk18on.version>
     <bouncycastle.bcpkix-fips.version>1.0.7</bouncycastle.bcpkix-fips.version>
-    <bouncycastle.bc-fips.version>1.0.2.5</bouncycastle.bc-fips.version>
+    <bouncycastle.bc-fips.version>1.0.2.6</bouncycastle.bc-fips.version>
     <jackson.version>2.17.2</jackson.version>
     <fastutil.version>8.5.14</fastutil.version>
     <reflections.version>0.10.2</reflections.version>
@@ -1012,13 +1015,19 @@ flexible messaging model and an intuitive client 
API.</description>
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcprov-jdk18on</artifactId>
-        <version>${bouncycastle.version}</version>
+        <version>${bouncycastle.bcprov-jdk18on.version}</version>
       </dependency>
 
       <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcpkix-jdk18on</artifactId>
-        <version>${bouncycastle.version}</version>
+        <version>${bouncycastle.bcpkix-jdk18on.version}</version>
+      </dependency>
+
+      <dependency>
+        <groupId>org.bouncycastle</groupId>
+        <artifactId>bcprov-ext-jdk18on</artifactId>
+        <version>${bouncycastle.bcprov-ext-jdk18on.version}</version>
       </dependency>
 
       <dependency>

Reply via email to