[ https://issues.apache.org/jira/browse/CXF-7757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-7757: ---------------------------------------- Assignee: Colm O hEigeartaigh > Upgrade bouncycastle dependency to fix vulnerability > ---------------------------------------------------- > > Key: CXF-7757 > URL: https://issues.apache.org/jira/browse/CXF-7757 > Project: CXF > Issue Type: Improvement > Affects Versions: 3.2.4 > Reporter: Dominique Jacques-Brissette > Assignee: Colm O hEigeartaigh > Priority: Major > > Apache CXF has a dependency on org.bouncycastle:bcprov-jdk15on@1.54 which has > a vulnerability known as CVE-2016-1000338 > (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338) > We discovered it in our projects via Snyk > https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32340 > The whole dependency chain is as follows > org.apache.cxf:cxf-rt-ws-security@3.2.4 > > org.apache.wss4j:wss4j-ws-security-policy-stax@2.2.1 > > org.apache.wss4j:wss4j-ws-security-stax@2.2.1 > > org.apache.wss4j:wss4j-ws-security-common@2.2.1 > > org.opensaml:opensaml-xacml-saml-impl@3.3.0 > > org.opensaml:opensaml-saml-impl@3.3.0 > org.opensaml:opensaml-soap-impl@3.3.0 > > org.opensaml:opensaml-soap-api@3.3.0 > > org.opensaml:opensaml-xmlsec-api@3.3.0 > > org.opensaml:opensaml-security-api@3.3.0 > org.cryptacular:cryptacular@1.1.1 > > *org.bouncycastle:bcprov-jdk15on@1.54* > For example, if the transitive dependency cryptacular was at 1.2.2, > then org.bouncycastle:bcprov-jdk15on@1.59 would be used and the > vulnerability would be patched. -- This message was sent by Atlassian JIRA (v7.6.3#76005)