[
https://issues.apache.org/jira/browse/HBASE-28089?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17767421#comment-17767421
]
Hudson commented on HBASE-28089:
--------------------------------
Results for branch branch-2
[build #885 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/885/]:
(x) *{color:red}-1 overall{color}*
----
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/885/General_20Nightly_20Build_20Report/]
(x) {color:red}-1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/885/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/885/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/885/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> Upgrade BouncyCastle to fix CVE-2023-33201
> ------------------------------------------
>
> Key: HBASE-28089
> URL: https://issues.apache.org/jira/browse/HBASE-28089
> Project: HBase
> Issue Type: Task
> Reporter: Nihal Jain
> Assignee: Nihal Jain
> Priority: Major
> Fix For: 2.6.0, 3.0.0-beta-1
>
>
> HBase has a dependency on BouncyCastle 1.70 which is vulnerable with
> [CVE-2023-33201|https://nvd.nist.gov/vuln/detail/CVE-2023-33201]
> Advisory: [https://github.com/bcgit/bc-java/wiki/CVE-2023-33201]
> This JIRA's goal is to fix the following:
> * Upgrade to v1.76, the latest version.
> ** This requires bcprov-jdk15on to be replaced with bcprov-jdk18on
> ** See [https://www.bouncycastle.org/latest_releases.html]
> ***
> {quote}*Java Version Details* With the arrival of Java 15. jdk15 is not quite
> as unambiguous as it was. The *jdk18on* jars are compiled to work with
> *anything* from Java 1.8 up. They are also multi-release jars so do support
> some features that were introduced in Java 9, Java 11, and Java 15. If you
> have issues with multi-release jars see the jdk15to18 release jars below.
> *Packaging Change (users of 1.70 or earlier):* BC 1.71 changed the jdk15on
> jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or
> containers/applications that cannot cope with multi-release jars, you should
> now use the jdk15to18 jars.
> {quote}
> * Exclude bcprov-jdk15on from everywhere else to avoid conflicts with
> bcprov-jdk18on
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
