[Backport 1.3.x] Upgrade BouncyCastle from 1.75 to 1.78.1 (CVE-2024-3…

…0172, CVE-2024-30171 and CVE-2024-29857) (opensearch-project#13484) * [Backport][1.3] Bump BouncyCastle to 1.76 (opensearch-project#10219) Signed-off-by: Milly Wilson <[email protected]> * [Backport][1.3] Update BouncyCastle dependencies from jdk15to18 to jdk18on (opensearch-project#12317) Signed-off-by: Milly Wilson <[email protected]> * [Backport][1.3] Bump bouncycastle from 1.77 to 1.78 (opensearch-project#13243) Signed-off-by: Milly Wilson <[email protected]> * PR#13484 Re-work * Update BC from 1.78 to 1.78.1 with latest fixes. * Remove incorrect jdk15to18 module replacement definitions as artifacts are still supported. * Add release notes. * Remove unneccessary license additions. Signed-off-by: Milly Wilson <[email protected]> * PR#13484 Re-work * Rename licenses from jdk18on to jdk15to18 and 1.78 to 1.78.1. * Update SHAs for BC 1.78.1 licenses. Signed-off-by: Milly Wilson <[email protected]> * PR#13484 Re-work Update Changelog and remove release notes file as this will be created upon release. Signed-off-by: Milly Wilson <[email protected]> --------- Signed-off-by: Milly Wilson <[email protected]> Co-authored-by: Andrey Pleskach <[email protected]> Co-authored-by: Stephen Crawford <[email protected]> Co-authored-by: Andriy Redko <[email protected]>
prudhvigodithi · May 6, 2024 · 81f1122 · 81f1122
1 parent 59970f2
commit 81f1122
Show file tree

Hide file tree

Showing 8 changed files with 5 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 ### Added
 ### Dependencies
 - OpenJDK Update (April 2024 Patch releases), update to Eclipse Temurin 11.0.23+9 ([#13406](https://github.com/opensearch-project/OpenSearch/pull/13406))
+- Upgrade BouncyCastle dependencies from 1.75 to 1.78.1 resolving [CVE-2024-30172], [CVE-2024-30171] and [CVE-2024-29857]
 
 ### Changed
 ### Deprecated

diff --git a/buildSrc/version.properties b/buildSrc/version.properties
@@ -35,7 +35,7 @@ jetty             = 9.4.53.v20231009
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle=1.75
+bouncycastle=1.78.1
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.13.2

diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.78.1.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.78.1.jar.sha1
@@ -0,0 +1 @@
+4ec9c0125a605408da16cf8758cc75b502204cbb
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.78.1.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.78.1.jar.sha1
@@ -0,0 +1 @@
+5884ee847542641d04abfbfdeca3446d0300670b
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.78.1.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.78.1.jar.sha1
@@ -0,0 +1 @@
+83bfa8229f7127d933161aefb281e54a9ffcf9f4