search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
180 stars 263 forks source link

Update BouncyCastle to address CVE-2024-30172, CVE-2024-30171 and CVE-2024-29857 #4454

Closed jaguilar-atl closed 2 weeks ago

jaguilar-atl commented 2 weeks ago

Description

Upgrading BouncyCastle from 1.75 to 1.78.1 to address potential vulnerabilities.

A similar change was made to the OpenSearch core repo here. https://github.com/opensearch-project/OpenSearch/pull/13484

Issues Resolved

This will address the following potential vulnerabilities. https://www.cve.org/CVERecord?id=CVE-2024-30172 https://www.cve.org/CVERecord?id=CVE-2024-30171 https://www.cve.org/CVERecord?id=CVE-2024-29857

Check List

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.

willyborankin commented 2 weeks ago

There is an open PR https://github.com/opensearch-project/security/pull/4437 with the same version

jaguilar-atl commented 2 weeks ago

There is an open PR #4437 with the same version

Oh right, I missed that! I'm happy to close this one then and just wait for that other PR to go through.

Thanks for looking into it @willyborankin !

jaguilar-atl commented 2 weeks ago

Closing this as the same version bump is already being addressed in https://github.com/opensearch-project/security/pull/4437