Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update BouncyCastle dependency to at least 1.56 #4666

Closed
aiannucci opened this issue Jun 13, 2017 · 1 comment
Closed

Update BouncyCastle dependency to at least 1.56 #4666

aiannucci opened this issue Jun 13, 2017 · 1 comment
Labels
JRuby 1.7.x
Milestone
Won't Fix

Comments

@aiannucci
Copy link

aiannucci commented Jun 13, 2017
edited
Loading

Release 1.56 of BC fixes 10 different vulnerabilities which all have CVEs.
https://www.bouncycastle.org/releasenotes.html

Threat varies from 3.0 to 7.5 being the highest according to Sonatype.

JRuby 1.7.27 shades the bouncycastle library (v1.55), so it is hard to override with a newer version.
@kares
Copy link
Member

kares commented Jun 16, 2017

JRuby does not shade BC. BC is part of jruby-openssl thus you should update the gem (latest uses 1.56 already). there likely wont be more 1.7 releases thus this should be the preferred option.

@kares kares added this to the Invalid or Duplicate milestone Jun 22, 2017
@kares kares modified the milestones: Won't Fix, Invalid or Duplicate Jun 22, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
JRuby 1.7.x
Projects
None yet
Milestone
Won't Fix
Development

No branches or pull requests
2 participants
@kares @aiannucci