Missing 1.78 release tag? #1618
Comments
|
I'm still waiting on 1 item of documentation. |
|
I need a tag, too |
|
I need a tag,three |
|
Still waiting... |
|
Waiting... |
|
Still no 1.78 release tag.... QAQ ... @dghgit |
|
Still no CVE ID. |
This one? https://www.bouncycastle.org/releasenotes.html CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed. |
|
Yep, that's the one. |
https://www.bouncycastle.org/releasenotes.html Why does the list of resolved bugs have an indeterminate CVE ID? In addition, the code build package of version 1.78 has been determined in the Maven repository, which means that the code is ready. @dghgit Why do you need to wait for the CVE ID when adding a tag? 😥 |
|
So the CVE ID was requested a bit over a week ago, prior to the roleout. Usually we hear back within 24 hours, however this time around it's taking longer. No idea why, but that's why there is an indeterminate CVE, and as the documentation is part of the code I can't do a final tag till I've actually been able to complete the documentation. Frustrating I know. As an aside, there's issues with the OSGI manifests in this release, the bcutil jar changed it's exports, and somehow the org.bouncycastle import clause was deleted from some of the ancillary jars. At any rate it means I'll be following up with a 1.78.1 in the next few days. |
Understand now. Thank you for your work. 👍 @dghgit |
What's the plan of 1.78.1 ? |
|
I need a tag, too |
|
missing1.78.1 tag |
|
Okay, I'll admit this has now gotten a bit crazy. I'm in the process of publishing the 1.78.1 artifacts now. When that's done I'll do the tags regardless of whether we have the CVE ID or not. It's not ideal, but it looks like we'll have to update the documentation after the fact. I'll still move the tag in our version of the repo, but it's going to be very difficult for people who've branched off the tag earlier to keep track of this. Apologies, I really thought we'd have the ID by now, it's quite unprecedented that it's taken so long. |
|
Tags should be showing up shortly. Recommend building off r1rv78v1 rather than r1rv78. Still no sign of CVE ID. |
|
Tag now published, to re-iterate recommend using r1rv78v1 |
|
@dghgit, it is possible to create a GitHub advisory and then request a CVE for it. Maybe that could be an alternative for you in the future? |
|
The advantage of requesting one directly is we can maintain control of publication - for serious CVEs there is often an embargo period, so the ID gets allocated well before publishing. I was at the CERT advisory meeting a couple of weeks ago before RSA, it seems the issues that caused the delay at MITRE on this occasion have been dealt with, |
It sounds like this is possible with CVEs requested through GitHub Advisories as well. From the docs:
This blog post also says:
|
|
Thanks for the information, I'll look into it. |
Could add a tag for 1.78 version
The text was updated successfully, but these errors were encountered: