Updating bcprov-jdk18on to fix CVE-2024-29857 and other CVEs

AgNO3 / jcifs-ng

A cleaned-up and improved version of the jCIFS library

GNU Lesser General Public License v2.1

312 stars 104 forks source link

Updating bcprov-jdk18on to fix CVE-2024-29857 and other CVEs #357

Open Skillzore opened 4 months ago

Skillzore commented 4 months ago

Just wondering if there are any plans to update the bouncycastle dependency to the latest version 1.78.1 to get rid of the CVEs present in the current version of the dependency?

For reference, see Security Advisories in the bouncycastle release notes here.

mbechler commented 4 months ago

Unless there is a binary or source incompatibility preventing people from upgrading - I'm not going to do releases just to bump the pom version - consumers can just override the version and management of runtime dependency versions generally is up to them.

miroslavvojtus commented 1 month ago

thanks for your work.
this is pretty unfortunate approach. It is common practice that library maintainer maintains safe dependencies if it uses dependency management tools. This way we are making vulnerable whole the community. It is like why should thousands dependent projects make hack if only one the depended may do it right.

mbechler commented 1 month ago

What you are implying is that 100eds to thousands of library maintainers should push "empty" releases each time if a dependency makes a compatible release - with all due respect - this would be a complete waste of time for everybody.