Please update Bouncy Castle

Comments (6)

Vladimir Dzhuvinov
- changed status to invalid
POM BC dependency always uses the latest version: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/85ce8b9d9ee86b81e56e05045fa548e328ad3962/pom.xml#lines-64
- 2020-04-13T06:21:03+00:00
Neustradamus reporter
Yes, 1.65 at this time.

Can you look previous links?

Can you reopen this ticket before solution?

Thanks in advance.
- 2020-04-13T06:33:45+00:00
Yavor Vasilev
Hi,

Could you elaborate?

If you need a specific recent BC version, you can always set it in your own pom.xml. The range allows this.

Also, please note that BC is a huge library and we only use a subset of its code. So not all CVE’s apply.
- 2020-04-14T20:26:51+00:00
Neustradamus reporter
Can you update it directly because CVEs?

Bouncy Castle 1.52 to Bouncy Castle 1.65
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/85ce8b9d9ee86b81e56e05045fa548e328ad3962/pom.xml#lines-62
Recall:
‌
- 2020-04-15T08:49:53+00:00
Yavor Vasilev
We’ll do a min version bump for that in a next release.

When you build your project today you will automatically get the latest stable BC version, i.e. 1.65. You can check your IDE libs section.

This is how ranges work: https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html

By putting a range open for the latest stable BC version we don’t need to be constantly updating the BC version when a new one comes out (to address a CVE or for any other reason).
- 2020-04-15T09:59:12+00:00
Yavor Vasilev
Here is a Maven command you can run to make sure your Maven is picking up the latest BC:

‌
```
mvn dependency:tree
```
‌
- 2020-04-15T10:06:36+00:00
Log in to comment