Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6774

CVE-2024-29857, CVE-2024-29857 and CVE-2024-30172 Upgrade BouncyCastle from 1.77 to 1.78

XMLWordPrintable

    • Icon: Component Upgrade Component Upgrade
    • Resolution: Done
    • Icon: Blocker Blocker
    • 24.0.0.Final
    • None
    • Security
    • None

      Tag: https://github.com/bcgit/bc-java/releases/tag/r1rv78
      Diff: https://github.com/bcgit/bc-java/compare/r1rv77...r1rv78

      Release notes: https://www.bouncycastle.org/releasenotes.html#r1rv78

      Notice the security advisories included in this release: Release 1.78 deals with the following CVEs:

      CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
      CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.
      CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
      CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.

            yborgess1@redhat.com Yeray Borges Santana
            jperkins-rhn James Perkins
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: