[GHSA-4h8f-2wvx-gg5w] Bouncy Castle Java Cryptography API vulnerable to DNS poisoning#7407
[GHSA-4h8f-2wvx-gg5w] Bouncy Castle Java Cryptography API vulnerable to DNS poisoning#7407kmoens wants to merge 1 commit into
Conversation
github-actions
Bot
changed the base branch from
main
to
kmoens/advisory-improvement-7407
There was a problem hiding this comment.
Pull request overview
Updates the GHSA advisory for CVE-2024-34447 (Bouncy Castle DNS poisoning hostname verification issue) by expanding the set of affected Maven artifacts.
Changes:
- Updates the advisory
modifiedtimestamp. - Adds an additional
affectedMaven package entry underaffected.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "package": { | ||
| "ecosystem": "Maven", | ||
| "name": "org.bouncycastle:bcprov-jdk15" | ||
| }, |
There was a problem hiding this comment.
PR description notes that bcprov-jdk15on is also affected, but this change adds org.bouncycastle:bcprov-jdk15 instead. Please confirm the intended Maven coordinate and update the affected list accordingly (add bcprov-jdk15on if that's the correct artifact, or adjust the PR description if not).
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "1.61" |
There was a problem hiding this comment.
The newly added affected range for org.bouncycastle:bcprov-jdk15 only specifies an introduced version and no fixed version, which will mark all versions >= 1.61 as affected indefinitely. If this vulnerability is fixed in the same release as the other bcprov-* artifacts in this advisory, add the corresponding fixed event (e.g., 1.78) for consistency and accurate remediation guidance.
| "introduced": "1.61" | |
| "introduced": "1.61" | |
| }, | |
| { | |
| "fixed": "1.78" |
Updates
Comments
The bcprov-jdk15on is also affected by this vulnerability.