Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8501

[Broker-J] Upgrade bouncycastle component versions

    XMLWordPrintableJSON

    Details

      Description

      The below components are reported as vulnerabilities and need to be upgraded

      Component Name Component Version
      org.bouncycastle:bcprov-jdk15on 1.66

      The above package is vulnerable to Comparison Using Wrong Factors. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

      https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-1052448

       This is a test dependency, hence QPID broker is not vulnerable to the reported issue. Though, we need to upgrade the bouncycastle version in order to stop from being flagged by scanning tools

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              DedeepyaT Dedeepya
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: