[fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636)#25569
Merged
nodece merged 2 commits intoapache:masterfrom Apr 23, 2026
Merged
[fix][sec] Upgrade BouncyCastle to 1.84 (CVE-2026-5588, CVE-2026-0636)#25569nodece merged 2 commits intoapache:masterfrom
nodece merged 2 commits intoapache:masterfrom
Conversation
Fixes two Bouncy Castle vulnerabilities: - CVE-2026-5588: PKIX draft CompositeVerifier accepts an empty signature sequence (affects bcpkix 1.49-1.83, fixed in 1.84). - CVE-2026-0636: LDAP injection in LDAPStoreHelper in bcprov (affects 1.74-1.83, fixed in 1.84). Upgrades bcprov-jdk18on 1.78.1, bcpkix-jdk18on 1.81, and bcutil-jdk18on 1.81 to 1.84 under a single "bouncycastle" version key (these three artifacts release in lockstep). Drops bcprov-ext-jdk18on: no release past 1.78.1 exists, and the BC team has retired the -ext variant (bc-java discussion apache#2175). Keeping 1.78.1 alongside bcprov 1.84 would shadow the LDAP-injection fix. Source audit of the three consumers (pulsar-client-messagecrypto-bc, bouncy-castle/bc, pulsar-broker tests) confirmed only classes present in plain bcprov are used (BouncyCastleProvider, ASN1/JCE/OpenSSL types). Also bumps the FIPS 2.0.x line within the NIST 140-3 certified branch: bcpkix-fips 2.0.10 -> 2.0.11 bcutil-fips 2.0.5 -> 2.0.6 bc-fips stays at 2.0.1 (latest 2.0.x). 2.1.x is a separately-certified branch and is intentionally not adopted here; bcpkix-fips 2.0.11 and bcutil-fips 2.0.6 both declare bc-fips:[2.0.0,2.1.0), confirming 2.0 and 2.1 are not drop-in compatible.
Sync the bundled BouncyCastle JAR filenames in the server and shell binary LICENSE manifests to match the 1.84 upgrade. Verified with src/check-binary-license.sh against both distribution tarballs.
merlimat
approved these changes
Apr 22, 2026
dao-jun
approved these changes
Apr 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Fixes two Bouncy Castle vulnerabilities disclosed against BC-JAVA:
CompositeVerifieraccepts an empty signature sequence as valid, bypassing signature verification. Affectsbcpkix1.49–1.83. Fixed in 1.84. See GitLab advisory.LDAPStoreHelperinsidebcprov. Affects 1.74–1.83. Fixed in 1.84. See BC wiki.Pulsar currently ships
bcprov-jdk18on1.78.1,bcpkix-jdk18on1.81, andbcprov-ext-jdk18on1.78.1, so it is exposed to both CVEs.Modifications
Non-FIPS (BC-JAVA):
bcprov-jdk18on,bcpkix-jdk18on, andbcutil-jdk18onunder a singlebouncycastle = \"1.84\"version catalog key. These three artifacts release in lockstep on Maven Central (verified: identical version histories from 1.71 through 1.84), so one pin keeps them aligned.bcprov-ext-jdk18onentirely. It has not been released past 1.78.1, and the BC team has retired the-extvariant (bc-java discussion #2175). Pinning it at 1.78.1 alongsidebcprov1.84 would leave the older LDAP classes on the classpath and effectively shadow the CVE-2026-0636 fix. A source audit of the three consumers (pulsar-client-messagecrypto-bc,bouncy-castle/bc, andpulsar-brokertests) confirmed that only classes present in plainbcprov-jdk18onare used (BouncyCastleProvider,ASN1*,jce.spec.*,openssl.*). Three build files now depend onlibs.bcprov.jdk18oninstead oflibs.bcprov.ext.jdk18on.FIPS:
bcpkix-fips2.0.10 → 2.0.11bcutil-fips2.0.5 → 2.0.6bc-fipsstays at 2.0.1 (latest 2.0.x; no newer 2.0.x exists)bcpkix-fips 2.0.11andbcutil-fips 2.0.6both declarebc-fips:[2.0.0,2.1.0), which is the BC FIPS team's own signal that 2.0 and 2.1 are not drop-in compatible.bcutil-fipsfrom the inline string form to the standardmodule + version.refform now that it has its own version key.Verifying this change
This change is a trivial rework / code cleanup without any test coverage.
Local verification performed:
pulsar-client-messagecrypto-bc,pulsar-broker,bouncy-castle:bouncy-castle-bc,pulsar-functions:pulsar-functions-instance,tiered-storage:tiered-storage-file-system,pulsar-client-auth-athenz) consistently resolvebcprov/bcpkix/bcutil-jdk18onto 1.84, with no FAILED dependencies. Transitive requests at 1.78/1.80/1.82 upgrade to 1.84 via the enforced platform. The FIPS distribution mutually satisfies the[2.0.0,2.1.0)internal ranges.compileJavaonpulsar-client-messagecrypto-bc,bouncy-castle:bouncy-castle-bc, andbouncy-castle:bcfips, pluscompileTestJavaonpulsar-broker, all pass.Does this pull request potentially affect one of the following parts:
Dependency change highlights:
bcprov-jdk18on: 1.78.1 → 1.84bcpkix-jdk18on: 1.81 → 1.84bcutil-jdk18on: 1.81 → 1.84 (transitive, pinned via unifiedbouncycastlekey)bcprov-ext-jdk18on: removed (retired by BC; superset of bcprov; not needed by Pulsar)bcpkix-fips: 2.0.10 → 2.0.11bcutil-fips: 2.0.5 → 2.0.6bc-fips: unchanged at 2.0.1