search

confluentinc / common

Common utilities library containing metrics, config and utils
Apache License 2.0
6 stars 242 forks source link

Update dependency org.bouncycastle:bc-fips to v1.0.2.5 [SECURITY] (7.4.x) #715

Closed renovatebot-confluentinc[bot] closed 2 weeks ago

renovatebot-confluentinc[bot] commented 3 weeks ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.bouncycastle:bc-fips 1.0.2.4 -> 1.0.2.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-29857

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.

CGA-h49m-7vwx-446f / CGA-pmw5-3929-3rqr / CGA-x9cj-c42r-f4mr / CVE-2024-29857 / GHSA-8xfc-gm6g-vgpv

More information #### Details An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-29857](https://nvd.nist.gov/vuln/detail/CVE-2024-29857) - [https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63](https://togithub.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63) - [https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f](https://togithub.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f) - [https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281](https://togithub.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281) - [https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857](https://togithub.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857) - [https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857](https://togithub.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857) - [https://www.bouncycastle.org/latest_releases.html](https://www.bouncycastle.org/latest_releases.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-8xfc-gm6g-vgpv) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.

renovatebot-confluentinc[bot] commented 2 weeks ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (1.0.2.5). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.