[fix][sec] Upgrade Bouncycastle libraries to address CVEs (apache#22826)

(cherry picked from commit 05d98f7) (cherry picked from commit fd4df2c)
datastax · Jun 7, 2024 · 7b426c6 · 7b426c6
1 parent 12971bc
commit 7b426c6
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 18 deletions.
diff --git a/bouncy-castle/bc/LICENSE b/bouncy-castle/bc/LICENSE
@@ -205,6 +205,5 @@
 This projects includes binary packages with the following licenses:
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk18on-1.78.jar
-    - org.bouncycastle-bcprov-jdk18on-1.78.jar
-    - org.bouncycastle-bcprov-ext-jdk18on-1.78.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -579,10 +579,9 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - org.bouncycastle-bcpkix-jdk18on-1.78.jar
-    - org.bouncycastle-bcprov-ext-jdk18on-1.78.jar
-    - org.bouncycastle-bcprov-jdk18on-1.78.jar
-    - org.bouncycastle-bcutil-jdk18on-1.78.jar
+    - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
+    - org.bouncycastle-bcutil-jdk18on-1.78.1.jar
 
 Datastax
     - com.datastax.oss-managed-ledger-3.1.4.2-SNAPSHOT.jar

diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -466,10 +466,9 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
-    - bcpkix-jdk18on-1.78.jar
-    - bcprov-ext-jdk18on-1.78.jar
-    - bcprov-jdk18on-1.78.jar
-    - bcutil-jdk18on-1.78.jar
+    - bcpkix-jdk18on-1.78.1.jar
+    - bcprov-jdk18on-1.78.1.jar
+    - bcutil-jdk18on-1.78.1.jar
 
 ------------------------
 

diff --git a/pom.xml b/pom.xml
@@ -155,9 +155,9 @@ flexible messaging model and an intuitive client API.</description>
     <slf4j.version>1.7.32</slf4j.version>
     <commons.collections4.version>4.4</commons.collections4.version>
     <log4j2.version>2.18.0</log4j2.version>
-    <bouncycastle.version>1.78</bouncycastle.version>
-    <bouncycastle.bcpkix-fips.version>1.0.6</bouncycastle.bcpkix-fips.version>
-    <bouncycastle.bc-fips.version>1.0.2.4</bouncycastle.bc-fips.version>
+    <bouncycastle.version>1.78.1</bouncycastle.version>
+    <bouncycastle.bcpkix-fips.version>1.0.7</bouncycastle.bcpkix-fips.version>
+    <bouncycastle.bc-fips.version>1.0.2.5</bouncycastle.bc-fips.version>
     <jackson.version>2.14.2</jackson.version>
     <reflections.version>0.10.2</reflections.version>
     <swagger.version>1.6.2</swagger.version>

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -588,7 +588,6 @@ Creative Commons Attribution License
 
 Bouncy Castle License
  * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
-   - bcpkix-jdk18on-1.78.jar
-   - bcprov-ext-jdk18on-1.78.jar
-   - bcprov-jdk18on-1.78.jar
-   - bcutil-jdk18on-1.78.jar
+   - bcpkix-jdk18on-1.78.1.jar
+   - bcprov-jdk18on-1.78.1.jar
+   - bcutil-jdk18on-1.78.1.jar