Skip to content

GEODE-10583: Remediation of Bouncy Castle security vulnerabilities (CVE-2026-0636, CVE-2026-5598, CVE-2025-14813)#8008

Open
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10583
Open

GEODE-10583: Remediation of Bouncy Castle security vulnerabilities (CVE-2026-0636, CVE-2026-5598, CVE-2025-14813)#8008
JinwooHwang wants to merge 1 commit intoapache:developfrom
JinwooHwang:feature/GEODE-10583

Conversation

@JinwooHwang
Copy link
Copy Markdown
Contributor

@JinwooHwang JinwooHwang commented Apr 29, 2026

Remediation of Bouncy Castle security vulnerabilities (CVE-2026-0636, CVE-2026-5598, CVE-2025-14813)

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang
GEODE-10583: Upgrade transitive bcprov-jdk18on from 1.82 to 1.84
2e7807b 
Pin org.bouncycastle:bcprov-jdk18on (transitive via org.apache.shiro:shiro-crypto-hash:2.1.0) to 1.84 to remediate CVE-2026-0636 (LDAP Injection), CVE-2026-5598 (Covert Timing Channel in FrodoEngine), and CVE-2025-14813 (broken GOSTCTR in G3413CTRBlockCipher), all of which affect 1.82 and are fixed in 1.84.

- Add bouncycastle.version=1.84 and api constraint in DependencyConstraints.groovy
- Update integration-test classpath fixtures to reference bcprov-jdk18on-1.84.jar
@JinwooHwang JinwooHwang requested a review from kaajaln2 April 29, 2026 22:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaajaln2 kaajaln2 Awaiting requested review from kaajaln2

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang