PJ Fanning created HADOOP-19154:
-----------------------------------
Summary: upgrade bouncy castle to 1.78.1 due to CVEs
Key: HADOOP-19154
URL: https://issues.apache.org/jira/browse/HADOOP-19154
Project: Hadoop Common
Issue Type: Improvement
Components: common
Reporter: PJ Fanning
[https://www.bouncycastle.org/releasenotes.html#r1rv78]
There is a v1.78.1 release but no notes for it yet.
For v1.78
h3. 2.1.5 Security Advisories.
Release 1.78 deals with the following CVEs:
* CVE-2024-29857 - Importing an EC certificate with specially crafted F2m
parameters can cause high CPU usage during parameter evaluation.
* CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due
to exception processing eliminated.
* CVE-2024-30172 - Crafted signature and public key can be used to trigger an
infinite loop in the Ed25519 verification code.
* CVE-2024-301XX - When endpoint identification is enabled and an SSL socket
is not created with an explicit hostname (as happens with HttpsURLConnection),
hostname verification could be performed against a DNS-resolved IP address.
This has been fixed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
