This is an automated email from the ASF dual-hosted git repository.
nodece pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new a14f6ccf314 [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588,
CVE-2026-0636) (#25569)
a14f6ccf314 is described below
commit a14f6ccf31464a645dcb9af012ccdde73fc5124e
Author: Lari Hotari <[email protected]>
AuthorDate: Thu Apr 23 04:59:16 2026 +0300
[fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636)
(#25569)
---
bouncy-castle/bc/build.gradle.kts | 2 +-
distribution/server/src/assemble/LICENSE.bin.txt | 6 +++---
distribution/shell/src/assemble/LICENSE.bin.txt | 6 +++---
gradle/libs.versions.toml | 15 ++++++---------
pulsar-broker/build.gradle.kts | 2 +-
pulsar-client-messagecrypto-bc/build.gradle.kts | 2 +-
6 files changed, 15 insertions(+), 18 deletions(-)
diff --git a/bouncy-castle/bc/build.gradle.kts
b/bouncy-castle/bc/build.gradle.kts
index 59460003b4d..9e2527691c2 100644
--- a/bouncy-castle/bc/build.gradle.kts
+++ b/bouncy-castle/bc/build.gradle.kts
@@ -27,5 +27,5 @@ dependencies {
exclude(group = "io.prometheus", module = "simpleclient_caffeine")
}
implementation(libs.bcpkix.jdk18on)
- implementation(libs.bcprov.ext.jdk18on)
+ implementation(libs.bcprov.jdk18on)
}
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index a066492f423..664eacf507e 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -630,9 +630,9 @@ Public Domain (CC0) -- ../licenses/LICENSE-CC0.txt
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - org.bouncycastle-bcpkix-jdk18on-1.81.jar
- - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
- - org.bouncycastle-bcutil-jdk18on-1.81.jar
+ - org.bouncycastle-bcpkix-jdk18on-1.84.jar
+ - org.bouncycastle-bcprov-jdk18on-1.84.jar
+ - org.bouncycastle-bcutil-jdk18on-1.84.jar
------------------------
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt
b/distribution/shell/src/assemble/LICENSE.bin.txt
index 2e07808c54a..4a92807f73b 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -471,9 +471,9 @@ Public Domain (CC0) -- ../licenses/LICENSE-CC0.txt
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - bcpkix-jdk18on-1.81.jar
- - bcprov-jdk18on-1.78.1.jar
- - bcutil-jdk18on-1.81.jar
+ - bcpkix-jdk18on-1.84.jar
+ - bcprov-jdk18on-1.84.jar
+ - bcutil-jdk18on-1.84.jar
------------------------
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 623a3fe2982..198200aafe8 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -56,11 +56,9 @@ commons-logging = "1.3.5"
commons-beanutils = "1.11.0"
commons-configuration2 = "2.12.0"
# BouncyCastle
-bouncycastle-bcprov = "1.78.1"
-bouncycastle-bcpkix = "1.81"
-bouncycastle-bcutil = "1.81"
-bouncycastle-bcprov-ext = "1.78.1"
-bouncycastle-bcpkix-fips = "2.0.10"
+bouncycastle = "1.84"
+bouncycastle-bcpkix-fips = "2.0.11"
+bouncycastle-bcutil-fips = "2.0.6"
bouncycastle-bc-fips = "2.0.1"
# Serialization
avro = "1.12.0"
@@ -307,11 +305,10 @@ opentelemetry-instrumentation-runtime-telemetry-java17 =
{ module = "io.opentele
opentelemetry-semconv = { module =
"io.opentelemetry.semconv:opentelemetry-semconv", version.ref =
"opentelemetry-semconv" }
opentelemetry-gcp-resources = { module =
"io.opentelemetry.contrib:opentelemetry-gcp-resources", version.ref =
"opentelemetry-gcp-resources" }
# BouncyCastle
-bcpkix-jdk18on = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref =
"bouncycastle-bcpkix" }
-bcprov-ext-jdk18on = { module = "org.bouncycastle:bcprov-ext-jdk18on",
version.ref = "bouncycastle-bcprov-ext" }
+bcpkix-jdk18on = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref =
"bouncycastle" }
bcpkix-fips = { module = "org.bouncycastle:bcpkix-fips", version.ref =
"bouncycastle-bcpkix-fips" }
bc-fips = { module = "org.bouncycastle:bc-fips", version.ref =
"bouncycastle-bc-fips" }
-bcutil-fips = "org.bouncycastle:bcutil-fips:2.0.5"
+bcutil-fips = { module = "org.bouncycastle:bcutil-fips", version.ref =
"bouncycastle-bcutil-fips" }
# RocksDB
rocksdbjni = { module = "org.rocksdb:rocksdbjni", version.ref = "rocksdb" }
# Error Prone
@@ -440,7 +437,7 @@ athenz-cert-refresher = { module =
"com.yahoo.athenz:athenz-cert-refresher", ver
athenz-auth-core = { module = "com.yahoo.athenz:athenz-auth-core", version.ref
= "athenz" }
athenz-zpe-java-client = { module = "com.yahoo.athenz:athenz-zpe-java-client",
version.ref = "athenz" }
# Misc
-bcprov-jdk18on = { module = "org.bouncycastle:bcprov-jdk18on", version.ref =
"bouncycastle-bcprov" }
+bcprov-jdk18on = { module = "org.bouncycastle:bcprov-jdk18on", version.ref =
"bouncycastle" }
commons-logging = { module = "commons-logging:commons-logging", version.ref =
"commons-logging" }
commons-beanutils = { module = "commons-beanutils:commons-beanutils",
version.ref = "commons-beanutils" }
commons-configuration2 = { module =
"org.apache.commons:commons-configuration2", version.ref =
"commons-configuration2" }
diff --git a/pulsar-broker/build.gradle.kts b/pulsar-broker/build.gradle.kts
index e82061e7022..11ff27ea98b 100644
--- a/pulsar-broker/build.gradle.kts
+++ b/pulsar-broker/build.gradle.kts
@@ -116,7 +116,7 @@ dependencies {
testImplementation(project(":pulsar-io:pulsar-io-batch-discovery-triggerers"))
testImplementation(libs.zt.zip)
testImplementation(libs.asynchttpclient)
- testImplementation(libs.bcprov.ext.jdk18on)
+ testImplementation(libs.bcprov.jdk18on)
testImplementation(libs.commons.math3)
testImplementation(libs.okhttp3)
testImplementation(libs.spring.core)
diff --git a/pulsar-client-messagecrypto-bc/build.gradle.kts
b/pulsar-client-messagecrypto-bc/build.gradle.kts
index 927a5822061..8befb504e5b 100644
--- a/pulsar-client-messagecrypto-bc/build.gradle.kts
+++ b/pulsar-client-messagecrypto-bc/build.gradle.kts
@@ -27,7 +27,7 @@ dependencies {
implementation(project(":pulsar-client-api"))
implementation(project(":bouncy-castle:bouncy-castle-bc"))
implementation(libs.bcpkix.jdk18on)
- implementation(libs.bcprov.ext.jdk18on)
+ implementation(libs.bcprov.jdk18on)
implementation(libs.guava)
implementation(libs.caffeine)
compileOnly(libs.netty.buffer)
