Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-19154

upgrade bouncy castle to 1.78.1 due to CVEs

    XMLWordPrintableJSON

Details

    Description

      https://www.bouncycastle.org/releasenotes.html#r1rv78

      There is a v1.78.1 release but no notes for it yet.

      For v1.78

      2.1.5 Security Advisories.

      Release 1.78 deals with the following CVEs:

      • CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
      • CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.
      • CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
      • CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.

      Attachments

        Activity

          People

            pj.fanning PJ Fanning
            fanningpj PJ Fanning
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: