CVE vulnerabilities reported in BouncyCastle jars
jchirantan opened this issue · 1 comments
jchirantan commented
Hi @jouniaro
CVE-2024-30171 - Medium Severity Vulnerability reported on the bouncycastle jars:
- bcpkix-jdk15to18
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15to18</artifactId>
<version>1.64</version>
<optional>true</optional>
</dependency>
Dependent libraries:
- bcprov-jdk15to18
- bcutil-jdk15to18
Is there any plan to upgrade the dependency?
jouniaro commented
Thanks for the note. I guess it would be good to update the dependency. In general, the stack does not depend to a specific version of BC and you can always use a later version in practice. But, I will update it.