[jira] [Resolved] (HADOOP-19866) upgrade bouncycastle to 1.84 due to multiple CVEs

Steve Loughran (Jira) Fri, 24 Apr 2026 03:09:15 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-19866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Steve Loughran resolved HADOOP-19866.
-------------------------------------
    Fix Version/s: 3.4.4
                   3.5.1
                   3.6.0
         Assignee: PJ Fanning
       Resolution: Fixed

> upgrade bouncycastle to 1.84 due to multiple CVEs
> -------------------------------------------------
>
>                 Key: HADOOP-19866
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19866
>             Project: Hadoop Common
>          Issue Type: Task
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.4, 3.5.1, 3.6.0
>
>
> [https://www.bouncycastle.org/download/bouncy-castle-java/#release-notes]
>  * CVE-2025-14813 - GOSTCTR implementation unable to process more than 255 
> blocks correctly.
>  * CVE-2026-0636 - LDAP Injection Vulnerability in LDAPStoreHelper.java.
>  * CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource 
> exhaustion.
>  * CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature 
> sequence as valid.
>  * CVE-2026-5598 - Non-constant time comparisons risk private key leakage in 
> FrodoKEM.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Resolved] (HADOOP-19866) upgrade bouncycastle to 1.84 due to multiple CVEs

Reply via email to