This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 7a9e1a92f376f6a052ccacd39153d7a31bb46135 Author: Lari Hotari <[email protected]> AuthorDate: Wed Aug 20 18:05:42 2025 +0300 [fix][sec] Upgrade bouncycastle bcpkix-fips version to 1.79 to address CVE-2025-8916 (#24650) (cherry picked from commit e78068a0430891b24088138ce96a6538673858d3) --- bouncy-castle/bc/LICENSE | 2 +- bouncy-castle/bc/pom.xml | 2 -- bouncy-castle/bcfips/LICENSE | 4 ++-- distribution/server/src/assemble/LICENSE.bin.txt | 4 ++-- distribution/shell/src/assemble/LICENSE.bin.txt | 4 ++-- pom.xml | 17 +++++++++++++---- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/bouncy-castle/bc/LICENSE b/bouncy-castle/bc/LICENSE index c95d33d3d1f..9cbf445cda2 100644 --- a/bouncy-castle/bc/LICENSE +++ b/bouncy-castle/bc/LICENSE @@ -205,5 +205,5 @@ This projects includes binary packages with the following licenses: Bouncy Castle License * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt - - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar + - org.bouncycastle-bcpkix-jdk18on-1.81.jar - org.bouncycastle-bcprov-jdk18on-1.78.1.jar diff --git a/bouncy-castle/bc/pom.xml b/bouncy-castle/bc/pom.xml index 694c165a10d..0820d8b82b7 100644 --- a/bouncy-castle/bc/pom.xml +++ b/bouncy-castle/bc/pom.xml @@ -43,13 +43,11 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk18on</artifactId> - <version>${bouncycastle.version}</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-ext-jdk18on</artifactId> - <version>${bouncycastle.version}</version> </dependency> </dependencies> diff --git a/bouncy-castle/bcfips/LICENSE b/bouncy-castle/bcfips/LICENSE index f770bab992f..b493804d192 100644 --- a/bouncy-castle/bcfips/LICENSE +++ b/bouncy-castle/bcfips/LICENSE @@ -205,5 +205,5 @@ This projects includes binary packages with the following licenses: Bouncy Castle License * Bouncy Castle -- licenses/LICENSE-bouncycastle.txt - - org.bouncycastle-bcpkix-fips-1.0.1.jar - - org.bouncycastle-bc-fips-1.0.1.jar + - org.bouncycastle-bcpkix-fips-1.0.7.jar + - org.bouncycastle-bc-fips-1.0.2.6.jar diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 507007b10b6..a3f27bda694 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -618,9 +618,9 @@ Creative Commons Attribution License Bouncy Castle License * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt - - org.bouncycastle-bcpkix-jdk18on-1.78.1.jar + - org.bouncycastle-bcpkix-jdk18on-1.81.jar - org.bouncycastle-bcprov-jdk18on-1.78.1.jar - - org.bouncycastle-bcutil-jdk18on-1.78.1.jar + - org.bouncycastle-bcutil-jdk18on-1.81.jar ------------------------ diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt index 120769ffdef..14e0d3ad7c1 100644 --- a/distribution/shell/src/assemble/LICENSE.bin.txt +++ b/distribution/shell/src/assemble/LICENSE.bin.txt @@ -469,9 +469,9 @@ Creative Commons Attribution License Bouncy Castle License * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt - - bcpkix-jdk18on-1.78.1.jar + - bcpkix-jdk18on-1.81.jar - bcprov-jdk18on-1.78.1.jar - - bcutil-jdk18on-1.78.1.jar + - bcutil-jdk18on-1.81.jar ------------------------ diff --git a/pom.xml b/pom.xml index b288077c47e..480e9348ea6 100644 --- a/pom.xml +++ b/pom.xml @@ -156,9 +156,12 @@ flexible messaging model and an intuitive client API.</description> <slf4j.version>2.0.13</slf4j.version> <commons.collections4.version>4.4</commons.collections4.version> <log4j2.version>2.23.1</log4j2.version> - <bouncycastle.version>1.78.1</bouncycastle.version> + <!-- bouncycastle dependencies aren't necessarily aligned --> + <bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version> + <bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version> + <bouncycastle.bcprov-ext-jdk18on.version>1.78.1</bouncycastle.bcprov-ext-jdk18on.version> <bouncycastle.bcpkix-fips.version>1.0.7</bouncycastle.bcpkix-fips.version> - <bouncycastle.bc-fips.version>1.0.2.5</bouncycastle.bc-fips.version> + <bouncycastle.bc-fips.version>1.0.2.6</bouncycastle.bc-fips.version> <jackson.version>2.14.2</jackson.version> <reflections.version>0.10.2</reflections.version> <swagger.version>1.6.2</swagger.version> @@ -962,13 +965,19 @@ flexible messaging model and an intuitive client API.</description> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk18on</artifactId> - <version>${bouncycastle.version}</version> + <version>${bouncycastle.bcprov-jdk18on.version}</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk18on</artifactId> - <version>${bouncycastle.version}</version> + <version>${bouncycastle.bcpkix-jdk18on.version}</version> + </dependency> + + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcprov-ext-jdk18on</artifactId> + <version>${bouncycastle.bcprov-ext-jdk18on.version}</version> </dependency> <dependency>
