tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan S Fisher (JIRA)" <j...@apache.org>
Subject [jira] [Created] (TOMEE-2042) Force upgrade of bcprov to fix 10 CVEs
Date Tue, 30 May 2017 20:48:04 GMT
Jonathan S Fisher created TOMEE-2042:
----------------------------------------

             Summary: Force upgrade of bcprov to fix 10 CVEs
                 Key: TOMEE-2042
                 URL: https://issues.apache.org/jira/browse/TOMEE-2042
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 7.0.3
            Reporter: Jonathan S Fisher


https://github.com/apache/tomee/pull/68

bcprov is included as a transient dependency for openejb-cxf module. This forces a secure
version. I plan on logging bugs for wss4j and opensaml to upgrade the dependency.

[INFO] +- org.apache.wss4j:wss4j-ws-security-dom:jar:2.1.9:compile
[INFO] |  \- org.apache.wss4j:wss4j-ws-security-common:jar:2.1.9:compile
[INFO] |     +- org.apache.santuario:xmlsec:jar:2.0.6:compile
[INFO] |     |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] |     +- org.opensaml:opensaml-saml-impl:jar:3.1.1:compile
[INFO] |     |  +- org.opensaml:opensaml-profile-api:jar:3.1.1:compile
[INFO] |     |  |  \- org.opensaml:opensaml-core:jar:3.1.1:compile
[INFO] |     |  +- org.opensaml:opensaml-saml-api:jar:3.1.1:compile
[INFO] |     |  |  +- org.opensaml:opensaml-xmlsec-api:jar:3.1.1:compile
[INFO] |     |  |  \- org.opensaml:opensaml-soap-api:jar:3.1.1:compile
[INFO] |     |  +- org.opensaml:opensaml-security-impl:jar:3.1.1:compile
[INFO] |     |  |  \- org.opensaml:opensaml-security-api:jar:3.1.1:compile
[INFO] |     |  |     +- org.cryptacular:cryptacular:jar:1.0:compile
[INFO] |     |  |     \- org.bouncycastle:bcprov-jdk15on:jar:1.51:compile
It contains the following CVEs:
CVE-2016-1000341
CVE-2016-1000346
CVE-2016-1000340
CVE-2016-1000344
CVE-2016-1000352
CVE-2016-1000338
CVE-2016-1000339
CVE-2016-1000342
CVE-2016-1000343
CVE-2016-1000345




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message