[
https://issues.apache.org/jira/browse/GEODE-10583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080630#comment-18080630
]
ASF subversion and git services commented on GEODE-10583:
---------------------------------------------------------
Commit b0f90024a1663e2e394a8a1110bb7da60f2ab92d in geode's branch
refs/heads/support/2.0 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=b0f90024a1 ]
GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 1.84 (#8008)
Pin org.bouncycastle:bcprov-jdk18on (transitive via
org.apache.shiro:shiro-crypto-hash:2.1.0) to 1.84 to remediate CVE-2026-0636
(LDAP Injection), CVE-2026-5598 (Covert Timing Channel in FrodoEngine), and
CVE-2025-14813 (broken GOSTCTR in G3413CTRBlockCipher), all of which affect
1.82 and are fixed in 1.84.
- Add bouncycastle.version=1.84 and api constraint in
DependencyConstraints.groovy
- Update integration-test classpath fixtures to reference
bcprov-jdk18on-1.84.jar
(cherry picked from commit 3f3dbb996368065f7c23aeb1688277e984b55eb1)
> Remediation of CVE‐2025‐14813
> -----------------------------
>
> Key: GEODE-10583
> URL: https://issues.apache.org/jira/browse/GEODE-10583
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> Remediation of CVE‐2025‐14813
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
