[
https://issues.apache.org/jira/browse/QPID-8501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dedeepya updated QPID-8501:
---------------------------
Description:
The below components are reported as vulnerabilities and need to be upgraded
||Component Name||Component Version||
|org.bouncycastle:bcprov-jdk15on|1.66|
The above package is vulnerable to Comparison Using Wrong Factors. The
{{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.
[https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
This is a test dependency, hence QPID broker is not vulnerable to the reported
issue. Though, we need to upgrade the bouncycastle version in order to stop
from being flagged by scanning tools
was:
The below components are reported as vulnerabilities and need to be upgraded
||Component Name||Component Version||
|org.bouncycastle:bcprov-jdk15on|1.66|
The above package is vulnerable to Comparison Using Wrong Factors. The
{{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.
[https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
The Qpid Broker does not store passwords and hence wont do the comparisions.
Thus, it is not vulnerable to the reported issue. Though, we need to upgrade
the bouncycastle version in order to stop from being flagged by scanning tools
> Upgrade bouncycastle component versions
> ---------------------------------------
>
> Key: QPID-8501
> URL: https://issues.apache.org/jira/browse/QPID-8501
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.3
> Reporter: Dedeepya
> Priority: Major
> Fix For: qpid-java-broker-8.0.4, qpid-java-broker-7.1.12
>
>
> The below components are reported as vulnerabilities and need to be upgraded
> ||Component Name||Component Version||
> |org.bouncycastle:bcprov-jdk15on|1.66|
> The above package is vulnerable to Comparison Using Wrong Factors. The
> {{OpenBSDBCrypt.checkPassword}} utility method compared incorrect data when
> checking the password, allowing incorrect passwords to indicate they were
> matching with previously hashed ones that were different.
> [https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448]
> This is a test dependency, hence QPID broker is not vulnerable to the
> reported issue. Though, we need to upgrade the bouncycastle version in order
> to stop from being flagged by scanning tools
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
