fdcb
commented
1 month ago Hey @igortepavac thank you for reporting this. We will let you know once we release a version with Bouncy Castle updated.
Closed igortepavac closed 3 weeks ago
fdcb
commented
1 month ago Hey @igortepavac thank you for reporting this. We will let you know once we release a version with Bouncy Castle updated.
GhassenMsd
commented
3 weeks ago Hey @fdcb! Do you have any information on when the Bouncy Castle version will be updated please? We are facing a dependency conflict with another sdk that is using the 1.78, can you tell us if it will be on the next version? Thank you 🙏
tkuntubayev
commented
3 weeks ago Hi @igortepavac and @GhassenMsd, The new 3DS2 SDK version with updated Bouncy Castle dependency has been released. Please check for all updates here.
Is your feature request related to a problem? Please describe. The current latest version of the 3DS2 SDK (v2.2.20) depends on a version of Bouncy Castle (v1.77) that has some open vulnerabilities. The list of vulnerabilities is listed on 3DS2 SDK's Maven details.
Describe the solution you'd like Please upgrade the Bouncy Castle dependency to a newer version that doesn't have open vulnerabilities (at the time of writing v1.78+).
Describe alternatives you've considered /
Additional context Vulnerabilities:
I'm not sure if these issues are relevant to the implementation of 3DS2 SDK. Nonetheless, our internal security checks are flagging Adyen's libraries because of these vulnerabilities.
In any case, keeping up with the latest version of the BC library makes sense. So, I'm opening up an issue to keep track of this. Thank you!