(pulsar) branch branch-3.0 updated: [fix][sec] Upgrade BouncyCastle FIPS to 2.0.10 to remediate CVE-2025-8916 (#24923)

Fri, 31 Oct 2025 04:29:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new ec9861b70b9 [fix][sec] Upgrade BouncyCastle FIPS to 2.0.10 to 
remediate CVE-2025-8916 (#24923)
ec9861b70b9 is described below

commit ec9861b70b969f5f7d552edb5904d94d14822155
Author: guptas6est <[email protected]>
AuthorDate: Fri Oct 31 11:06:19 2025 +0000

    [fix][sec] Upgrade BouncyCastle FIPS to 2.0.10 to remediate CVE-2025-8916 
(#24923)
    
    (cherry picked from commit f3fa7e6dfded17c7f617fcebc8337bc02c67ce96)
---
 bouncy-castle/bcfips/LICENSE | 5 +++--
 bouncy-castle/bcfips/pom.xml | 5 +++++
 pom.xml                      | 4 ++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/bouncy-castle/bcfips/LICENSE b/bouncy-castle/bcfips/LICENSE
index b493804d192..5eda282e5aa 100644
--- a/bouncy-castle/bcfips/LICENSE
+++ b/bouncy-castle/bcfips/LICENSE
@@ -205,5 +205,6 @@
 This projects includes binary packages with the following licenses:
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-fips-1.0.7.jar
-    - org.bouncycastle-bc-fips-1.0.2.6.jar
+    - org.bouncycastle-bcpkix-fips-2.0.10.jar
+    - org.bouncycastle-bc-fips-2.0.1.jar
+    - org.bouncycastle-bctutil-fips-2.0.5.jar
diff --git a/bouncy-castle/bcfips/pom.xml b/bouncy-castle/bcfips/pom.xml
index be35160810b..7774748929a 100644
--- a/bouncy-castle/bcfips/pom.xml
+++ b/bouncy-castle/bcfips/pom.xml
@@ -33,6 +33,11 @@
   <name>Apache Pulsar :: Bouncy Castle :: BC-FIPS</name>
 
   <dependencies>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcutil-fips</artifactId>
+      <version>2.0.5</version>
+    </dependency>
     <dependency>
       <groupId>${project.groupId}</groupId>
       <artifactId>pulsar-common</artifactId>
diff --git a/pom.xml b/pom.xml
index c1bb2d62c9e..124e18a2dcf 100644
--- a/pom.xml
+++ b/pom.xml
@@ -157,8 +157,8 @@ flexible messaging model and an intuitive client 
API.</description>
     
<bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version>
     
<bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version>
     
<bouncycastle.bcprov-ext-jdk18on.version>1.78.1</bouncycastle.bcprov-ext-jdk18on.version>
-    <bouncycastle.bcpkix-fips.version>1.0.7</bouncycastle.bcpkix-fips.version>
-    <bouncycastle.bc-fips.version>1.0.2.6</bouncycastle.bc-fips.version>
+    <bouncycastle.bcpkix-fips.version>2.0.10</bouncycastle.bcpkix-fips.version>
+    <bouncycastle.bc-fips.version>2.0.1</bouncycastle.bc-fips.version>
     <jackson.version>2.14.2</jackson.version>
     <reflections.version>0.10.2</reflections.version>
     <swagger.version>1.6.10</swagger.version>

Reply via email to