- changed status to invalid
Please update Bouncy Castle
Comments (6)
-
-
reporter Yes, 1.65 at this time.
Can you look previous links?
Can you reopen this ticket before solution?
Thanks in advance.
-
Hi,
Could you elaborate?
If you need a specific recent BC version, you can always set it in your own pom.xml. The range allows this.
Also, please note that BC is a huge library and we only use a subset of its code. So not all CVE’s apply.
-
reporter Can you update it directly because CVEs?
Bouncy Castle 1.52 to Bouncy Castle 1.65
Recall:
- http://www.bouncycastle.org/latest_releases.html
- https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html
-
We’ll do a min version bump for that in a next release.
When you build your project today you will automatically get the latest stable BC version, i.e. 1.65. You can check your IDE libs section.
This is how ranges work: https://maven.apache.org/enforcer/enforcer-rules/versionRanges.html
By putting a range open for the latest stable BC version we don’t need to be constantly updating the BC version when a new one comes out (to address a CVE or for any other reason).
-
Here is a Maven command you can run to make sure your Maven is picking up the latest BC:
mvn dependency:tree
- Log in to comment
POM BC dependency always uses the latest version: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/85ce8b9d9ee86b81e56e05045fa548e328ad3962/pom.xml#lines-64