Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Override bcprov-jdk18on transient dependency #663

Merged
merged 1 commit into from
May 2, 2024
Merged

Override bcprov-jdk18on transient dependency #663

merged 1 commit into from
May 2, 2024

Conversation

joaocsf
Copy link
Contributor

@joaocsf joaocsf commented May 2, 2024
edited
Loading

Addresses IN1-JAVA-ORGBOUNCYCASTLE-6612984.
This vulnerability was already addressed by ssh hierynomus/sshj#938 but a new version is yet to be released.

Does this change relate to existing issues or pull requests?

No.

Does this change require an update to the documentation?

No.

How has this been tested?

Relying on the existing CI.

[info] org.bouncycastle:bcprov-jdk18on:1.75 (evicted by: 1.78.1)
[info]   +-com.hierynomus:sshj:0.38.0
[info]     +-com.velocidi:apso-io_2.13:0.19.5-SNAPSHOT [S]
[info]
[info] org.bouncycastle:bcprov-jdk18on:1.75 (evicted by: 1.78.1)
[info]   +-com.hierynomus:sshj:0.38.0
[info]     +-com.velocidi:apso-io_2.13:0.19.5-SNAPSHOT [S]
[info]       +-com.velocidi:apso_2.13:0.19.5-SNAPSHOT [S]

@joaocsf joaocsf requested a review from jcazevedo May 2, 2024 07:50
@joaocsf joaocsf self-assigned this May 2, 2024
jcazevedo
jcazevedo requested changes May 2, 2024
View reviewed changes
Copy link
Member

@jcazevedo jcazevedo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I'll prepare a new release once this is merged in.

io/build.sbt
AwsJavaSdkCore,
AwsJavaSdkS3,
// FIX: Explicitly override transient bouncy castle versions from `sshj`: https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6612984
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you leave a link to this PR stating that we can remove the explicit evictions once a version of sshj with that patch is released?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! https://github.com/adzerk/apso/compare/5a118b8abedd7a86a875f4bdcaa5f89e64976eee..7c1530732554553bc561dc51efeedb9537b3c566

Thanks! I'll prepare a new release once this is merged in.

Thank you 🙏

@joaocsf joaocsf force-pushed the override-bcprov-jdk18on-transient-dep branch from 5a118b8 to 7c15307 Compare May 2, 2024 09:41
jcazevedo
jcazevedo approved these changes May 2, 2024
View reviewed changes
Copy link
Member

@jcazevedo jcazevedo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@jcazevedo jcazevedo enabled auto-merge May 2, 2024 09:42
@jcazevedo jcazevedo merged commit 8be256d into master May 2, 2024
14 checks passed
@jcazevedo jcazevedo deleted the override-bcprov-jdk18on-transient-dep branch May 2, 2024 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcazevedo jcazevedo jcazevedo approved these changes

Assignees

@joaocsf joaocsf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joaocsf @jcazevedo