Closed loffing closed 1 week ago
If there is a vulnerability in the MQ client code (not this package), it will be reported via an IBM security bulletin.
So far, no version of the MQ client has been released with a later dependency level of the bouncy castle jars. (Version 9.3.5.1 didn't change those dependencies.) If and when a new MQ level comes out that uses the newer BC files, then it will get referenced through an update in this module. But right now, there's nothing that can be done here.
This vulnerability no longer exists in version 3.3.0
of mq-jms-spring-boot-starter
.
Version
3.2.4
ofmq-jms-spring-boot-starter
is vulnerable toCVE-2024-34447
due to its transitive dependency on version1.77
oforg.bouncycastle:bcprov-jdk18on
.3.2.4