Unexpected code execution vulnerability in bcprov-jdk15on dependency

[RobotLimeLtd]

All versions (tested on 6.2.1) depend on org.bouncycastle:bcprov-jdk15on:1.51 which has an unexpected code execution vulnerability. (See https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32412 for details).

Recommended resolution is to upgrade to 1.60 or higher. 1.62 is the latest and so far no reported vulnerabilities.

[rpalcolea]

Hi @RobotLimeLtd

Thanks for reporting this.

Unfortunately, there's nothing we can do at this point since this is really an issue in Redline library (https://github.com/craigwblake/redline)

This library uses PGPSecretKeyRingCollection(InputStream in) which is deprecated in 1.50-1.51 (https://github.com/bcgit/bc-java/blob/r1rv51/pg/src/main/java/org/bouncycastle/openpgp/PGPSecretKeyRingCollection.java#L48) and removed in 1.60 and 1.62 https://github.com/bcgit/bc-java/blob/r1rv62/pg/src/main/java/org/bouncycastle/openpgp/PGPSecretKeyRingCollection.java

Forcing this plugin to use that version just causes things to break.

We would need redline folks to fix their library.

I'll open an issue with them and try to follow up

[rpalcolea]

Opened issue and pull requests for this:
craigwblake/redline#143
craigwblake/redline#144

[elusiveeagle]

We should have a new release of redline soon (as early as today) thanks to @craigwblake! :)
craigwblake/redline#143 (comment)

[rpalcolea]

Great, thanks for the heads up! I'll keep an eye on it and upgrade as soon as it becomes available!

[rpalcolea]

Hi folks v7.6.3 contains the upgrade for redline 👍