This is an automated email from the ASF dual-hosted git repository.
lhotari pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new 01552692747 [fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588,
CVE-2026-0636) (#25569)
01552692747 is described below
commit 01552692747ce23a28e31c2396e8687e9c8d46da
Author: Lari Hotari <[email protected]>
AuthorDate: Thu Apr 23 04:59:16 2026 +0300
[fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636)
(#25569)
(cherry picked from commit a14f6ccf31464a645dcb9af012ccdde73fc5124e)
---
bouncy-castle/bc/pom.xml | 2 +-
bouncy-castle/bcfips/pom.xml | 12 +++++------
distribution/server/src/assemble/LICENSE.bin.txt | 6 +++---
distribution/shell/src/assemble/LICENSE.bin.txt | 6 +++---
pom.xml | 26 ++++++++++++++++++------
pulsar-sql/presto-distribution/LICENSE | 6 +++---
6 files changed, 35 insertions(+), 23 deletions(-)
diff --git a/bouncy-castle/bc/pom.xml b/bouncy-castle/bc/pom.xml
index 9adbe4b7708..f2fa359016c 100644
--- a/bouncy-castle/bc/pom.xml
+++ b/bouncy-castle/bc/pom.xml
@@ -47,7 +47,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk18on</artifactId>
+ <artifactId>bcprov-jdk18on</artifactId>
</dependency>
</dependencies>
diff --git a/bouncy-castle/bcfips/pom.xml b/bouncy-castle/bcfips/pom.xml
index a78507938f0..77ececa8d83 100644
--- a/bouncy-castle/bcfips/pom.xml
+++ b/bouncy-castle/bcfips/pom.xml
@@ -33,11 +33,6 @@
<name>Apache Pulsar :: Bouncy Castle :: BC-FIPS</name>
<dependencies>
- <dependency>
- <groupId>org.bouncycastle</groupId>
- <artifactId>bcutil-fips</artifactId>
- <version>2.0.5</version>
- </dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>pulsar-common</artifactId>
@@ -48,13 +43,16 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
- <version>${bouncycastle.bc-fips.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-fips</artifactId>
- <version>${bouncycastle.bcpkix-fips.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcutil-fips</artifactId>
</dependency>
</dependencies>
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index 04be95f0adf..78549cfde8b 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -573,9 +573,9 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - org.bouncycastle-bcpkix-jdk18on-1.81.jar
- - org.bouncycastle-bcprov-jdk18on-1.78.1.jar
- - org.bouncycastle-bcutil-jdk18on-1.81.jar
+ - org.bouncycastle-bcpkix-jdk18on-1.84.jar
+ - org.bouncycastle-bcprov-jdk18on-1.84.jar
+ - org.bouncycastle-bcutil-jdk18on-1.84.jar
------------------------
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt
b/distribution/shell/src/assemble/LICENSE.bin.txt
index e06e1aec1b9..e525348abfa 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -464,9 +464,9 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - bcpkix-jdk18on-1.81.jar
- - bcprov-jdk18on-1.78.1.jar
- - bcutil-jdk18on-1.81.jar
+ - bcpkix-jdk18on-1.84.jar
+ - bcprov-jdk18on-1.84.jar
+ - bcutil-jdk18on-1.84.jar
------------------------
diff --git a/pom.xml b/pom.xml
index 1ef8e08520a..4655756faa6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -154,10 +154,12 @@ flexible messaging model and an intuitive client
API.</description>
<commons.collections4.version>4.4</commons.collections4.version>
<log4j2.version>2.25.4</log4j2.version>
<!-- bouncycastle dependencies aren't necessarily aligned -->
-
<bouncycastle.bcprov-jdk18on.version>1.78.1</bouncycastle.bcprov-jdk18on.version>
-
<bouncycastle.bcpkix-jdk18on.version>1.81</bouncycastle.bcpkix-jdk18on.version>
-
<bouncycastle.bcprov-ext-jdk18on.version>1.78.1</bouncycastle.bcprov-ext-jdk18on.version>
- <bouncycastle.bcpkix-fips.version>2.0.10</bouncycastle.bcpkix-fips.version>
+ <bouncycastle.version>1.84</bouncycastle.version>
+
<bouncycastle.bcprov-jdk18on.version>${bouncycastle.version}</bouncycastle.bcprov-jdk18on.version>
+
<bouncycastle.bcpkix-jdk18on.version>${bouncycastle.version}</bouncycastle.bcpkix-jdk18on.version>
+
<bouncycastle.bcutil-jdk18on.version>${bouncycastle.version}</bouncycastle.bcutil-jdk18on.version>
+ <bouncycastle.bcpkix-fips.version>2.0.11</bouncycastle.bcpkix-fips.version>
+ <bouncycastle.bcutil-fips.version>2.0.6</bouncycastle.bcutil-fips.version>
<bouncycastle.bc-fips.version>2.0.1</bouncycastle.bc-fips.version>
<jackson.version>2.18.6</jackson.version>
<reflections.version>0.10.2</reflections.version>
@@ -970,8 +972,20 @@ flexible messaging model and an intuitive client
API.</description>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk18on</artifactId>
- <version>${bouncycastle.bcprov-ext-jdk18on.version}</version>
+ <artifactId>bc-fips</artifactId>
+ <version>${bouncycastle.bc-fips.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-fips</artifactId>
+ <version>${bouncycastle.bcpkix-fips.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcutil-fips</artifactId>
+ <version>${bouncycastle.bcutil-fips.version}</version>
</dependency>
<dependency>
diff --git a/pulsar-sql/presto-distribution/LICENSE
b/pulsar-sql/presto-distribution/LICENSE
index e8e0706b847..4f6d9955f22 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -586,6 +586,6 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
- - bcpkix-jdk18on-1.81.jar
- - bcprov-jdk18on-1.78.1.jar
- - bcutil-jdk18on-1.81.jar
+ - bcpkix-jdk18on-1.84.jar
+ - bcprov-jdk18on-1.84.jar
+ - bcutil-jdk18on-1.84.jar
