Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Security fix for bouncycastle #83

Merged
merged 7 commits into from
Nov 27, 2023
Merged

fix: Security fix for bouncycastle #83

merged 7 commits into from
Nov 27, 2023

Conversation

adkumar1
Copy link
Contributor

  • To fix the below issue:
    Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.

@carslen carslen mentioned this pull request Nov 27, 2023
Closed
6 tasks
carslen
carslen reviewed Nov 27, 2023
View reviewed changes
Copy link
Contributor

@carslen carslen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why bumping the minor version of the Helm Chart, instead of bumping the patch version to 10? To fix a security issue the application version should be bumped as well.

In addition it would be nice if you could provide clear instructions about expected build workflow runs and GH releases. Otherwise committers will have to wild guess next steps.

@adkumar1
Copy link
Contributor Author

adkumar1 commented Nov 27, 2023
edited
Loading

Why bumping the minor version of the Helm Chart, instead of bumping the patch version to 10? To fix a security issue the application version should be bumped as well.

In addition it would be nice if you could provide clear instructions about expected build workflow runs and GH releases. Otherwise committers will have to wild guess next steps.

Hi @carslen i thought next incremental version in a single digit after 2.1.9 will be 2.2.0
Now i have updated it to 2.1.10 . Thanks

carslen
carslen suggested changes Nov 27, 2023
View reviewed changes
CHANGELOG.md Show resolved Hide resolved
@adkumar1 adkumar1 changed the title fix: Trivy security fix fix: Security fix for bouncycastle Nov 27, 2023
@adkumar1 adkumar1 requested a review from carslen November 27, 2023 09:26
@carslen carslen merged commit 04ddda3 into eclipse-tractusx:main Nov 27, 2023
3 checks passed
@carslen carslen deleted the CVE-2023-33202-fix branch November 27, 2023 09:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carslen carslen carslen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adkumar1 @carslen @dvasunin