Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update BouncyCastle to v1.67 #6128

Open
3 tasks
alkum opened this issue Apr 3, 2022 · 3 comments · May be fixed by bisq-network/bitcoinj#42
Open
3 tasks

Update BouncyCastle to v1.67 #6128

alkum opened this issue Apr 3, 2022 · 3 comments · May be fixed by bisq-network/bitcoinj#42
Labels
re:security

Comments

@alkum
Copy link
Contributor

alkum commented Apr 3, 2022

We are currently using1 BouncyCastle v1.63.

However, that version has at least one known CVE vulnerability2.

Attempts to update BC have been discussed in the past (#4163) and its a delicate balance between
a) staying with an older version, but which is more widely used and more robustly tested, and
b) updating to a new version, which potentially brings in new not-yet-discovered bugs

Since there are known CVEs for the version we use, I figured this is worth re-visiting.

So, as a compromise between the two, I suggest we update to the oldest version without known CVEs. This way we get rid of any known CVEs, but we're also conservative with the version we adopt.

The oldest version without known CVEs is v1.67 (see below).

Please feel free to upvote / downvote this, or post your pro / con thoughts below. Thanks.

Finding oldest version without known CVEs

I looked this up in different sources, just to be sure. They all pointed to v1.67:

  • The maven repo lists known CVEs for all BC versions up to v1.663. The oldest version listed without known CVEs is v1.67.
  • The newest security advisory from BC release notes 4 is regarding v1.65 and v1.66, recommending to update to v1.67.
  • Searching the CVE DB5 according to their recommendations6 also points to the latest CVE7 being the one found on v1.65/v1.66 and recommending upgrade to v1.67.

Tasks

Footnotes

  1. https://github.com/bisq-network/bisq/blob/290ff8e607f7fe035e11da721989930afe0827df/build.gradle#L34

  2. https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.63

  3. https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

  4. https://www.bouncycastle.org/releasenotes.html

  5. Using the GitHub advanced search query "bouncycastle repo:CVEproject/cvelist extension:json"

  6. https://cve.mitre.org/find/search_tips.html

  7. https://github.com/CVEProject/cvelist/blob/master/2020/28xxx/CVE-2020-28052.json

@boring-cyborg
Copy link

boring-cyborg bot commented Apr 3, 2022

Thanks for opening your first issue here!

Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.

@alkum
Copy link
Contributor Author

alkum commented Apr 9, 2022

Tried to work on the first task, but no idea how to compile https://github.com/bisq-network/bitcoinj . Imported it into IDEA but keeps failing with obscure gradle errors.

If anyone has any tips and tricks, please let me know.

@napoly napoly linked a pull request Jan 30, 2024 that will close this issue
Open
@napoly
Copy link
Contributor

napoly commented Jan 30, 2024
edited

created a PR to upgrade for 1.67.. pls check.. I need workflow approval :/ but for me it works here: https://github.com/napoly/bitcoinj/actions/runs/7718991644

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
re:security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bouncy castle 1.67 upgrade napoly/bitcoinj
3 participants
@ripcurlx @napoly @alkum