This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.2 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 1fb3a6b5343b7d52e70f112c18bcac62dbc0221d Author: Lari Hotari <[email protected]> AuthorDate: Thu Apr 23 04:59:16 2026 +0300 [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636) (#25569) (cherry picked from commit a14f6ccf31464a645dcb9af012ccdde73fc5124e) --- bouncy-castle/bc/pom.xml | 2 +- bouncy-castle/bcfips/pom.xml | 12 +++++------ distribution/server/src/assemble/LICENSE.bin.txt | 6 +++--- distribution/shell/src/assemble/LICENSE.bin.txt | 6 +++--- pom.xml | 27 ++++++++++++++++++------ 5 files changed, 32 insertions(+), 21 deletions(-) diff --git a/bouncy-castle/bc/pom.xml b/bouncy-castle/bc/pom.xml index 7b4538d1aa3..04284f49dde 100644 --- a/bouncy-castle/bc/pom.xml +++ b/bouncy-castle/bc/pom.xml @@ -52,7 +52,7 @@ <dependency> <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-ext-jdk18on</artifactId> + <artifactId>bcprov-jdk18on</artifactId> </dependency> </dependencies> diff --git a/bouncy-castle/bcfips/pom.xml b/bouncy-castle/bcfips/pom.xml index b07fbe49221..846f2b45f77 100644 --- a/bouncy-castle/bcfips/pom.xml +++ b/bouncy-castle/bcfips/pom.xml @@ -32,11 +32,6 @@ <name>Apache Pulsar :: Bouncy Castle :: BC-FIPS</name> <dependencies> - <dependency> - <groupId>org.bouncycastle</groupId> - <artifactId>bcutil-fips</artifactId> - <version>2.0.5</version> - </dependency> <dependency> <groupId>${project.groupId}</groupId> <artifactId>pulsar-common</artifactId> @@ -53,13 +48,16 @@ <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bc-fips</artifactId> - <version>${bouncycastle.bc-fips.version}</version> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-fips</artifactId> - <version>${bouncycastle.bcpkix-fips.version}</version> + </dependency> + + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcutil-fips</artifactId> </dependency> </dependencies> diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt index 6645d0d5392..c18f4667487 100644 --- a/distribution/server/src/assemble/LICENSE.bin.txt +++ b/distribution/server/src/assemble/LICENSE.bin.txt @@ -634,9 +634,9 @@ Public Domain (CC0) -- ../licenses/LICENSE-CC0.txt Bouncy Castle License * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt - - org.bouncycastle-bcpkix-jdk18on-1.81.jar - - org.bouncycastle-bcprov-jdk18on-1.78.1.jar - - org.bouncycastle-bcutil-jdk18on-1.81.jar + - org.bouncycastle-bcpkix-jdk18on-1.84.jar + - org.bouncycastle-bcprov-jdk18on-1.84.jar + - org.bouncycastle-bcutil-jdk18on-1.84.jar ------------------------ diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt b/distribution/shell/src/assemble/LICENSE.bin.txt index b86a20eb9f3..38de80b932c 100644 --- a/distribution/shell/src/assemble/LICENSE.bin.txt +++ b/distribution/shell/src/assemble/LICENSE.bin.txt @@ -469,9 +469,9 @@ Public Domain (CC0) -- ../licenses/LICENSE-CC0.txt Bouncy Castle License * Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt - - bcpkix-jdk18on-1.81.jar - - bcprov-jdk18on-1.78.1.jar - - bcutil-jdk18on-1.81.jar + - bcpkix-jdk18on-1.84.jar + - bcprov-jdk18on-1.84.jar + - bcutil-jdk18on-1.84.jar ------------------------ diff --git a/pom.xml b/pom.xml index c505d2e6f25..9404694088d 100644 --- a/pom.xml +++ b/pom.xml @@ -204,11 +204,12 @@ flexible messaging model and an intuitive client API.</description> <commons.collections4.version>4.5.0</commons.collections4.version> <log4j2.version>2.25.4</log4j2.version> <!-- bouncycastle dependencies aren't necessarily aligned --> - <bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version> - <bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version> - <bouncycastle.bcutil-jdk18on.version>1.81</bouncycastle.bcutil-jdk18on.version> - <bouncycastle.bcprov-ext-jdk18on.version>1.78.1</bouncycastle.bcprov-ext-jdk18on.version> - <bouncycastle.bcpkix-fips.version>2.0.10</bouncycastle.bcpkix-fips.version> + <bouncycastle.version>1.84</bouncycastle.version> + <bouncycastle.bcprov-jdk18on.version>${bouncycastle.version}</bouncycastle.bcprov-jdk18on.version> + <bouncycastle.bcpkix-jdk18on.version>${bouncycastle.version}</bouncycastle.bcpkix-jdk18on.version> + <bouncycastle.bcutil-jdk18on.version>${bouncycastle.version}</bouncycastle.bcutil-jdk18on.version> + <bouncycastle.bcpkix-fips.version>2.0.11</bouncycastle.bcpkix-fips.version> + <bouncycastle.bcutil-fips.version>2.0.6</bouncycastle.bcutil-fips.version> <bouncycastle.bc-fips.version>2.0.1</bouncycastle.bc-fips.version> <jackson.version>2.18.6</jackson.version> <fastutil.version>8.5.16</fastutil.version> @@ -999,8 +1000,20 @@ flexible messaging model and an intuitive client API.</description> <dependency> <groupId>org.bouncycastle</groupId> - <artifactId>bcprov-ext-jdk18on</artifactId> - <version>${bouncycastle.bcprov-ext-jdk18on.version}</version> + <artifactId>bc-fips</artifactId> + <version>${bouncycastle.bc-fips.version}</version> + </dependency> + + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-fips</artifactId> + <version>${bouncycastle.bcpkix-fips.version}</version> + </dependency> + + <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcutil-fips</artifactId> + <version>${bouncycastle.bcutil-fips.version}</version> </dependency> <dependency>
