[
https://issues.apache.org/jira/browse/HADOOP-19866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18074846#comment-18074846
]
ASF GitHub Bot commented on HADOOP-19866:
-----------------------------------------
pjfanning commented on PR #8443:
URL: https://github.com/apache/hadoop/pull/8443#issuecomment-4280972843
@steveloughran we use the Java 1.8 compatible bouncycastle jars still. I'll
create a backport for 3.4 branch tonight.
> upgrade bouncycastle to 1.84 due to multiple CVEs
> -------------------------------------------------
>
> Key: HADOOP-19866
> URL: https://issues.apache.org/jira/browse/HADOOP-19866
> Project: Hadoop Common
> Issue Type: Task
> Reporter: PJ Fanning
> Priority: Major
> Labels: pull-request-available
>
> [https://www.bouncycastle.org/download/bouncy-castle-java/#release-notes]
> * CVE-2025-14813 - GOSTCTR implementation unable to process more than 255
> blocks correctly.
> * CVE-2026-0636 - LDAP Injection Vulnerability in LDAPStoreHelper.java.
> * CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource
> exhaustion.
> * CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature
> sequence as valid.
> * CVE-2026-5598 - Non-constant time comparisons risk private key leakage in
> FrodoKEM.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
