Merge pull request #297 from cesarhernandezgt/tomee-8.0.x-TT.x-patch

Upgrade to Bouncy Castle 1.78
tomitribe · Apr 17, 2024 · 4f941de · 4f941de
2 parents 2d5cdc3 + 387b09e
commit 4f941de
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 20 deletions.
diff --git a/boms/tomee-microprofile/pom.xml b/boms/tomee-microprofile/pom.xml
@@ -1445,7 +1445,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1456,7 +1456,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1467,7 +1467,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

diff --git a/boms/tomee-plume/pom.xml b/boms/tomee-plume/pom.xml
@@ -1544,7 +1544,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1555,7 +1555,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1566,7 +1566,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

diff --git a/boms/tomee-plus/pom.xml b/boms/tomee-plus/pom.xml
@@ -1577,7 +1577,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1588,7 +1588,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>
@@ -1599,7 +1599,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <exclusions>
         <exclusion>
           <artifactId>*</artifactId>

diff --git a/server/openejb-client/pom.xml b/server/openejb-client/pom.xml
@@ -154,7 +154,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcmail-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <scope>test</scope>
     </dependency>
 

diff --git a/server/openejb-cxf/pom.xml b/server/openejb-cxf/pom.xml
@@ -139,12 +139,12 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpkix-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
     </dependency>
     <dependency>
       <groupId>org.apache.wss4j</groupId>

diff --git a/tomee/apache-tomee/pom.xml b/tomee/apache-tomee/pom.xml
@@ -564,9 +564,9 @@
               <createTarGz>true</createTarGz>
               <skips>
                 <jars>
-                  <bcpkix-jdk15to18-1.76.jar>org.bouncycastle:bcpkix-jdk15to18:jar:1.76</bcpkix-jdk15to18-1.76.jar>
-                  <bcprov-jdk15to18-1.76.jar>org.bouncycastle:bcprov-jdk15to18:jar:1.76</bcprov-jdk15to18-1.76.jar>
-                  <bcutil-jdk15to18-1.76.jar>org.bouncycastle:bcutil-jdk15to18:jar:1.76</bcutil-jdk15to18-1.76.jar>
+                  <bcpkix-jdk15to18-1.78.jar>org.bouncycastle:bcpkix-jdk15to18:jar:1.78</bcpkix-jdk15to18-1.78.jar>
+                  <bcprov-jdk15to18-1.78.jar>org.bouncycastle:bcprov-jdk15to18:jar:1.78</bcprov-jdk15to18-1.78.jar>
+                  <bcutil-jdk15to18-1.78.jar>org.bouncycastle:bcutil-jdk15to18:jar:1.78</bcutil-jdk15to18-1.78.jar>
                 </jars>
               </skips>
             </configuration>
@@ -797,9 +797,9 @@
               <createTarGz>true</createTarGz>
               <skips>
                 <jars>
-                  <bcpkix-jdk15to18-1.76.jar>org.bouncycastle:bcpkix-jdk15to18:jar:1.76</bcpkix-jdk15to18-1.76.jar>
-                  <bcprov-jdk15to18-1.76.jar>org.bouncycastle:bcprov-jdk15to18:jar:1.76</bcprov-jdk15to18-1.76.jar>
-                  <bcutil-jdk15to18-1.76.jar>org.bouncycastle:bcutil-jdk15to18:jar:1.76</bcutil-jdk15to18-1.76.jar>
+                  <bcpkix-jdk15to18-1.78.jar>org.bouncycastle:bcpkix-jdk15to18:jar:1.78</bcpkix-jdk15to18-1.78.jar>
+                  <bcprov-jdk15to18-1.78.jar>org.bouncycastle:bcprov-jdk15to18:jar:1.78</bcprov-jdk15to18-1.78.jar>
+                  <bcutil-jdk15to18-1.78.jar>org.bouncycastle:bcutil-jdk15to18:jar:1.78</bcutil-jdk15to18-1.78.jar>
                 </jars>
               </skips>
             </configuration>

diff --git a/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-8.0.x b/tomee/apache-tomee/src/main/resources/META-INF/release_notes/RELEASE-NOTES-EAP-8.0.x
@@ -1,4 +1,7 @@
-= TomEE EAP 8.0.16-TT.3
+= TomEE EAP 8.0.16-TT.4
+
+=== Changes in TomEE EAP 8.0.16-TT.4
+* Upgrade to Bouncy Castle 1.78 to mitigate CVE-2024-29857, CVE-2024-30171, CVE-2024-30172, CVE-2024-301XX.
 
 === Changes in TomEE EAP 8.0.16-TT.3
 * Update jose4j 0.9.6 to mitigate CVE-2023-51775

diff --git a/tomee/tomee-embedded/pom.xml b/tomee/tomee-embedded/pom.xml
@@ -499,7 +499,7 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcmail-jdk15to18</artifactId>
-      <version>1.76</version>
+      <version>1.78</version>
       <scope>test</scope>
     </dependency>