CVE-2023-34610 & CVE-2023-33201 vulnerabilities in dependencies

ebourg / jsign

Java implementation of Microsoft Authenticode for signing Windows executables, installers & scripts

https://ebourg.github.io/jsign

Apache License 2.0

250 stars 107 forks source link

CVE-2023-34610 & CVE-2023-33201 vulnerabilities in dependencies #180

Closed randheerar closed 7 months ago

randheerar commented 8 months ago

Is there a plan to update below dependencies to mitigate CVE-2023-34610 & CVE-2023-33201 ?

com.cedarsoftware » json-io --> Upgrade to 4.14.2 org.bouncycastle » bcprov-jdk18on --> Upgrade to 1.76

ebourg commented 7 months ago

These dependencies have already been updated on the master branch. Note that these vulnerabilities have no impact on Jsign (the BouncyCastle CertPath validation API isn't used, and no untrusted json data is parsed).

randheerar commented 7 months ago

Thanks @ebourg for the update