MODLOGSAML-220: Bump bcprov-jdk18on and bcpkix-jdk18on to 1.83#215
Merged
julianladisch merged 1 commit intomasterfrom Mar 12, 2026
Merged
MODLOGSAML-220: Bump bcprov-jdk18on and bcpkix-jdk18on to 1.83#215julianladisch merged 1 commit intomasterfrom
julianladisch merged 1 commit intomasterfrom
Conversation
… 1.83 - CVE-2025-8916 https://folio-org.atlassian.net/browse/MODLOGSAML-220 Upgrade * org.bouncycastle:bcpkix-jdk18on * org.bouncycastle:bcprov-jdk18on from 1.78.1 to 1.83. This fixes this security vulnerability: * GHSA-4cx2-fc23-5wg6 = CVE-2025-8916 ASN.1 with huge name length causes excessive resource consumption in PKIXCertPathReviewer Previously we used a more recent cryptacular version to transitively bump the two bouncycastle dependencies; however, only cryptacular >= 1.3.0 comes with bouncycastle >= 1.79. We want to avoid this minor version bump that has too many code changes: vt-middleware/cryptacular@v1.2.7...v1.3.0
julianladisch
requested review from
adamdickmeiss,
barbaraloehle and
steveellis
|
barbaraloehle
approved these changes
Mar 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://folio-org.atlassian.net/browse/MODLOGSAML-220
Upgrade
from 1.78.1 to 1.83.
This fixes this security vulnerability:
Previously we used a more recent cryptacular version to transitively bump the two bouncycastle dependencies; however, only cryptacular >= 1.3.0 comes with bouncycastle >= 1.79. We want to avoid this minor version bump that has too many code changes: vt-middleware/cryptacular@v1.2.7...v1.3.0