chore: updates bouncy castle to 1.75 (latest 1.7x) by kebeda · Pull Request #741 · sendgrid/sendgrid-java

kebeda · 2023-06-21T23:26:26Z

This mitigates CVE-2023-33201.

ref. https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

This mitigates CVE-2023-33201. ref. https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

lexek · 2023-07-03T11:57:08Z

@thinkingserious @twilio-dx can someone look into this?

ghost · 2023-09-29T09:52:59Z

Please mitigate this vulnerability by updating Bouncy Castle
@childish-sambino @twilio-dx @twilio-taylorferguson @twilio-ci

snesm · 2023-09-29T14:15:39Z

Latest is now 1.76 which fixes an additional vulnerability.

ghost · 2023-09-29T14:20:29Z

pom.xml

-      <artifactId>bcprov-jdk15on</artifactId>
-      <version>1.70</version>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>1.75</version>


Suggested change

<version>1.75</version>

<version>1.76</version>

@rakatyal @shrutiburman please commit this change and merge this PR to fix the CVE vulnerability

@claudiachua as well

gian1200 · 2023-10-11T13:18:50Z

Any update on this?

mrdziuban · 2023-10-12T21:47:08Z

I'm also interested in updates on this, would love to resolve this CVE in my project. Thanks in advance!

ghost · 2023-10-16T13:35:38Z

Please mitigate this vulnerability by updating Bouncy Castle
@sendgrid-argo-cd @sendgrid-ci @sendgrid-github-readonly @sendgrid-jira @SendGridDX

lexek · 2023-10-19T23:40:51Z

Might make sense for maintainers to create a fresh pr for fix

gian1200 · 2023-10-20T14:05:46Z

Th last commit on main branch was Jan 3. Why the need for a new PR?

mrdziuban · 2023-11-08T13:04:20Z

@shrutiburman this was merged with 1.75 instead of 1.76, the latest bouncycastle version -- will there be a separate pull request to update the latest?

mrdziuban · 2023-11-08T13:10:31Z

@shrutiburman opened a PR here #744

shrutiburman · 2023-11-08T13:41:40Z

Oh, thanks @mrdziuban for the PR. I'll merge that once all runs are passing.

shrutiburman · 2023-11-08T13:45:09Z

Done.

📦️ chore(deps): updates bouncy castle to 1.75 (latest 1.7x)

8d67f9c

This mitigates CVE-2023-33201. ref. https://github.com/bcgit/bc-java/wiki/CVE-2023-33201

kebeda changed the title ~~📦️ chore(deps): updates bouncy castle to 1.75 (latest 1.7x)~~ chore: updates bouncy castle to 1.75 (latest 1.7x) Jun 21, 2023

kebeda mentioned this pull request Jun 21, 2023

CVE-2023-33201 (Medium) detected in bcprov-jdk15on-1.70.jar - autoclosed opensearch-project/security#2888

Closed

1 task

kebeda closed this Jun 22, 2023

kebeda deleted the fix/CVE-2023-33201 branch June 22, 2023 13:05

kebeda restored the fix/CVE-2023-33201 branch June 22, 2023 13:07

kebeda reopened this Jun 22, 2023

ghost approved these changes Sep 29, 2023

View reviewed changes

ghost reviewed Sep 29, 2023

View reviewed changes

Merge branch 'main' into fix/CVE-2023-33201

44598dd

shrutiburman approved these changes Nov 8, 2023

View reviewed changes

shrutiburman merged commit d4d332f into sendgrid:main Nov 8, 2023

mrdziuban mentioned this pull request Nov 8, 2023

chore: updates bouncy castle to 1.76 (latest 1.7x) #744

Merged

8 tasks

Conversation

kebeda commented Jun 21, 2023

Uh oh!

lexek commented Jul 3, 2023

Uh oh!

ghost commented Sep 29, 2023

Uh oh!

snesm commented Sep 29, 2023

Uh oh!

ghost Sep 29, 2023

Choose a reason for hiding this comment

Uh oh!

ghost Nov 8, 2023

Choose a reason for hiding this comment

Uh oh!

ghost Nov 8, 2023

Choose a reason for hiding this comment

Uh oh!

gian1200 commented Oct 11, 2023

Uh oh!

mrdziuban commented Oct 12, 2023

Uh oh!

ghost commented Oct 16, 2023

Uh oh!

lexek commented Oct 19, 2023

Uh oh!

gian1200 commented Oct 20, 2023

Uh oh!

mrdziuban commented Nov 8, 2023

Uh oh!

mrdziuban commented Nov 8, 2023

Uh oh!

shrutiburman commented Nov 8, 2023

Uh oh!

shrutiburman commented Nov 8, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants