Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update FIPS API libraries of Bouncy Castle #1853

Merged
merged 4 commits into from
Jan 6, 2022
Merged

Update FIPS API libraries of Bouncy Castle #1853

merged 4 commits into from
Jan 6, 2022

Conversation

tlfeng
Copy link
Collaborator

@tlfeng tlfeng commented Jan 5, 2022
edited
Loading

Description

Update the versions of all the remaining API libraries of org.bouncycastle, which are mainly FIPS APIs, after the recent commit db91d2e (PR #1832)
(Thanks for the comment #1853 (comment))

  • Update the version of bc-fips from 1.0.2 to 1.0.2.1 to reduce the vulnerability CVE-2020-15522
  • Update bcpg-fips from 1.0.4 to 1.0.5.1
  • Update bctls-fips from 1.0.9 to 1.0.12.2
  • Apply the unified defined version of bouncycastle to bcpkix-jdk15on, in HDFS testing fixture.

Issues Resolved

None.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@tlfeng
Update bc-fips to 1.0.2.1
e8918ac 
Signed-off-by: Tianli Feng <[email protected]>
@tlfeng tlfeng requested a review from a team as a code owner January 5, 2022 22:15
@opensearch-ci-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@tlfeng tlfeng added >upgrade Label used when upgrading library dependencies (e.g., Lucene) backport 1.x CVE Fixes a CVE v1.3.0 v2.0.0 Version 2.0.0 labels Jan 5, 2022
saratvemulapalli
saratvemulapalli reviewed Jan 5, 2022
View reviewed changes
distribution/tools/plugin-cli/build.gradle Outdated
@@ -36,7 +36,7 @@ dependencies {
compileOnly project(":server")
compileOnly project(":libs:opensearch-cli")
api "org.bouncycastle:bcpg-fips:1.0.4"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There aren't any vulnerabilities for bcpg-fips but do you want to update it to 1.0.5.1 along with this change?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch 😄 I will give a refresh to it as well. Since they are used in conjunction, so it make sense to upgrade to a version released together.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I gave a full refresh to all bouncy castle libraries. 🏰 Hope the tests pass.

@tlfeng tlfeng changed the title Update bc-fips to 1.0.2.1 Update FIPS API libraries of Bouncy Castle Jan 5, 2022
@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success e8918ac
Log 1777

Reports 1777

@opensearch-ci-bot
Copy link
Collaborator

❌   Gradle Check failure 108e2ad
Log 1778

Reports 1778

@tlfeng
Copy link
Collaborator Author

tlfeng commented Jan 5, 2022

The log 1778 shows a failure reported in the issue #1693, and there is an issue #1828 to solve the bug in test.
I will re-trigger the check: start gradle check

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success 108e2ad
Log 1779

Reports 1779

@saratvemulapalli saratvemulapalli added the pending backport Identifies an issue or PR that still needs to be backported label Jan 6, 2022
@saratvemulapalli saratvemulapalli merged commit db23f72 into opensearch-project:main Jan 6, 2022
@tlfeng tlfeng deleted the bc-fips-1021 branch January 6, 2022 04:19
@saratvemulapalli
Copy link
Member

@tlfeng could you backport this to 1.x?

@tlfeng
Copy link
Collaborator Author

tlfeng commented Jan 10, 2022

@tlfeng could you backport this to 1.x?

Sure, I will do!

tlfeng added a commit to tlfeng/OpenSearch that referenced this pull request Jan 11, 2022
@tlfeng
Update FIPS API libraries of Bouncy Castle (opensearch-project#1853)
06b20c5 
* Update bc-fips to 1.0.2.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bcpg-fips to 1.0.5.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bctls-fips to 1.0.12.2

Signed-off-by: Tianli Feng <[email protected]>

* Use the unified bouncycastle version for bcpkix-jdk15on in HDFS testing fixture

Signed-off-by: Tianli Feng <[email protected]>
@tlfeng tlfeng mentioned this pull request Jan 11, 2022
Merged
5 tasks
tlfeng added a commit to tlfeng/OpenSearch that referenced this pull request Jan 11, 2022
@tlfeng
Update FIPS API libraries of Bouncy Castle (opensearch-project#1853)
4be4ee7 
* Update bc-fips to 1.0.2.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bcpg-fips to 1.0.5.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bctls-fips to 1.0.12.2

Signed-off-by: Tianli Feng <[email protected]>

* Use the unified bouncycastle version for bcpkix-jdk15on in HDFS testing fixture

Signed-off-by: Tianli Feng <[email protected]>
@tlfeng tlfeng mentioned this pull request Jan 11, 2022
Merged
5 tasks
dblock pushed a commit that referenced this pull request Jan 12, 2022
@tlfeng
Update FIPS API libraries of Bouncy Castle (#1853) (#1886)
42dbe3a 
* Update bc-fips to 1.0.2.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bcpg-fips to 1.0.5.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bctls-fips to 1.0.12.2

Signed-off-by: Tianli Feng <[email protected]>

* Use the unified bouncycastle version for bcpkix-jdk15on in HDFS testing fixture

Signed-off-by: Tianli Feng <[email protected]>
dblock pushed a commit that referenced this pull request Jan 13, 2022
@tlfeng
Update FIPS API libraries of Bouncy Castle (#1853) (#1888)
e505b10 
* Update bc-fips to 1.0.2.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bcpg-fips to 1.0.5.1

Signed-off-by: Tianli Feng <[email protected]>

* Update bctls-fips to 1.0.12.2

Signed-off-by: Tianli Feng <[email protected]>

* Use the unified bouncycastle version for bcpkix-jdk15on in HDFS testing fixture

Signed-off-by: Tianli Feng <[email protected]>
@saratvemulapalli saratvemulapalli removed the pending backport Identifies an issue or PR that still needs to be backported label Jan 13, 2022
@wboyle-erwin wboyle-erwin mentioned this pull request Jul 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saratvemulapalli saratvemulapalli saratvemulapalli approved these changes

Assignees
No one assigned
Labels
backport 1.x CVE Fixes a CVE >upgrade Label used when upgrading library dependencies (e.g., Lucene) v1.3.0 v2.0.0 Version 2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tlfeng @opensearch-ci-bot @saratvemulapalli