Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-13098 #156

Closed
karlhe opened this issue Mar 1, 2018 · 2 comments
Closed

CVE-2017-13098 #156

karlhe opened this issue Mar 1, 2018 · 2 comments
Labels
invalid

Comments

@karlhe
Copy link

karlhe commented Mar 1, 2018

There's a TLS vulnerability fixed in bouncy castle 1.59: https://www.kb.cert.org/vuls/id/CHEU-AT5U7K

I'm assuming it would've been updated in the next jruby-openssl release regardless, but dropping a note here.
@headius
Copy link
Member

headius commented Mar 2, 2018

Hey, thanks for opening the issue! We'll get a release spun as soon as possible. BC has an annoying tendency to break their own APIs.

If you're so inclined, you might try updating it yourself (follow build instructions in the repo) and see if what you run into :-)

@kares
Copy link
Member

kares commented Mar 2, 2018

although we would love to have the resources to switch to BC's JSSE - making SSL/TLS more predictable.
we're using much of BC but not its SSL engine - so far it isn't even included in any of the jossl releases ...
(included in master as hopes for starting to use it but that wasn't released and is blocked by another issue)

@kares kares added the invalid label Mar 2, 2018
@kares kares closed this as completed May 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@headius @kares @karlhe