Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Bouncycastle to fix Cryptographic Issues vulnerability #12412

Closed
wants to merge 1 commit into from
Closed

Update Bouncycastle to fix Cryptographic Issues vulnerability #12412

wants to merge 1 commit into from

Conversation

abstractj
Copy link
Contributor

Resolves #12411

@mposolda
Copy link
Contributor

mposolda commented Jun 10, 2022
edited

@abstractj I may missed something, but simply updating the dependency in pom.xml is not sufficient at least for the Wildfly distribution due the fact that Keycloak must use the bouncycastle version, which is packed inside Wildfly. And since there is not Wildfly upgrade, then the "runtime" of Keycloak Wildfly distribution will still use the old version of Bounycastle packed inside Wildfly. Or did I missed something?

Also there are test failures (for example in Quarkus), which likely need to be solved and which seems to be regression of this.

@abstractj abstractj added the status/hold PR should not be merged. On hold for later. label Jun 10, 2022
@abstractj
Copy link
Contributor Author

abstractj commented Jun 10, 2022
edited

@mposolda you didn't miss anything, on the contrary, thanks for bringing this up. I'll check the broken tests. Quarkus 2.7.5.Final is already on BC 1.70, while WildFly is on 1.69 and so it should be safe to upgrade after fixing those tests.

pedroigor
pedroigor reviewed Jun 10, 2022
View reviewed changes
Copy link
Contributor

@pedroigor pedroigor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, missed the comments.

@abstractj
Copy link
Contributor Author

No worries @pedroigor and thanks for reviewing it.

@abstractj abstractj marked this pull request as draft June 10, 2022 13:59
stianst
stianst reviewed Jun 16, 2022
View reviewed changes
Copy link
Contributor

@stianst stianst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at test results looks like there's some real failures here:
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.bsi.BSIObjectIdentifiers

@abstractj abstractj mentioned this pull request Jul 5, 2022
Closed
@stianst stianst closed this Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedroigor pedroigor pedroigor approved these changes

@stianst stianst stianst approved these changes

@sguilhen sguilhen Awaiting requested review from sguilhen

@mposolda mposolda Awaiting requested review from mposolda

@DGuhr DGuhr Awaiting requested review from DGuhr

Assignees
No one assigned
Labels
area/dependencies status/hold PR should not be merged. On hold for later.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BDSA-2018-5235 - Update Bouncycastle to fix Cryptographic Issues vulnerability
4 participants
@abstractj @mposolda @pedroigor @stianst