Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update bouncycastle and jackson, current versions have known security issues #50

Open
Loki-Afro opened this issue Dec 2, 2019 · 1 comment

Comments

@Loki-Afro
Copy link

If one simply includes this library and does not handle dependencies probably (which is a pain with bouncycastle in any way) one ends up with outdated libraries :/

So could you please update the dependencies?

Details:

mvn org.owasp:dependency-check-maven:5.2.4:aggregate
....

One or more dependencies were identified with known vulnerabilities in Passkit4j:

jackson-databind-2.1.0.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.1.0, cpe:2.3:a:fasterxml:jackson:2.1.0:*:*:*:*:*:*:*, cpe:2.3:a:fasterxml:jackson-databind:2.1.0:*:*:*:*:*:*:*) : CVE-2017-15095, CVE-2017-17485, CVE-2017-7525, CVE-2018-1000873, CVE-2018-11307, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-5968, CVE-2018-7489, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531
bcprov-jdk15on-1.47.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.47, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.47:*:*:*:*:*:*:*) : CVE-2013-1624, CVE-2015-6644, CVE-2015-7940, CVE-2016-1000338, CVE-2016-1000339, CVE-2016-1000341, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000345, CVE-2016-1000346, CVE-2016-1000352, CVE-2017-13098, CVE-2018-1000613

@JakobStadlhuber
Copy link

a update would be nice in the meanwhile you just could override de dependencies

    implementation("org.bouncycastle:bcprov-jdk15on:1.69")
    implementation("org.bouncycastle:bcpkix-jdk15on:1.69")
    implementation("org.bouncycastle:bcmail-jdk15on:1.69")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants