bouncycastle 1.6.4 has CVE-2020-15522

[ccoltx]

The current bouncycastle version 1.6.4 has known CVE-2020-15522.

https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.64 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Update to 1.70

[loetifuss]

Not sure if I'm missing something but currently we're using Bouncycastle 1.66. The CVE you linked above states that:

Bouncy Castle BC Java before 1.66, BC ... have a timing issue within the EC math library ...

This issue seems to be fixed in BC versions 1.66 and later: https://github.com/bcgit/bc-java/wiki/CVE-2020-15522

However there will be a release containing some updated libraries soon, so Bouncycastle could be updated as well.

[ccoltx]

You are correct. Unfortunately I referenced the wrong CVE, it should have been: https://nvd.nist.gov/vuln/detail/CVE-2020-28052

https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.66

[loetifuss]

@ccoltx there is a new release using Bouncycastle 1.70 available on Maven Central:

https://search.maven.org/artifact/de.tk.opensource/secon-tool/1.1.1/jar

[ccoltx]

Thanks @loetifuss - I'm already using it.