CVE vulnerabilities reported in BouncyCastle jars

OPCFoundation / UA-Java-Legacy

This repository is provided by OPC Foundation as legacy support for an Java version for OPC UA.

https://github.com/OPCFoundation/UA-.NETStandard

Other

355 stars 227 forks source link

CVE vulnerabilities reported in BouncyCastle jars #235

Closed jchirantan closed 5 months ago

jchirantan commented 5 months ago

Hi @jouniaro

CVE-2024-30171 - Medium Severity Vulnerability reported on the bouncycastle jars:

bcpkix-jdk15to18

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15to18</artifactId>
    <version>1.64</version>
    <optional>true</optional>
 </dependency>

Dependent libraries:

bcprov-jdk15to18
bcutil-jdk15to18

Is there any plan to upgrade the dependency?

jouniaro commented 5 months ago

Thanks for the note. I guess it would be good to update the dependency. In general, the stack does not depend to a specific version of BC and you can always use a later version in practice. But, I will update it.