-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please update Bouncy Castle #10335
Comments
hi, what do you mean by the update? could you please elaborate on what is this? |
@flexsurfer: Thanks for your comment! Here in this project: https://github.com/status-im/status-react/search?q=bouncycastle&unscoped_q=bouncycastle Currently the last version is 1.65, please look previous links, there are CVEs... |
@jakubgs are you aware about that? |
I'm not aware of every single dependency we use but we clearly use it here: |
Oh my bad, I thought it was solved for keycard, re-opening then, thank you! |
@cammellos: At this time, it is Bouncy Castle 1.66 |
We upgraded to |
@cammellos: Thanks for your reply but badly the problem is always here, it is not solved, please reopen this ticket: I confirm you that it is important to have up-to-date Bouncy Castle. Note: Other applications have been updated to better Bouncy Castle 1.65/1.66... |
@Neustradamus I wasn't checking @jakubgs could you confirm if that's correct? (i.e what's listed under I am running the command:
and I have attached the output which only includes
Yes, I believe is likely an issue on our side, could you please confirm that though Re-opening until confirmed, thanks |
@cammellos These versions are
Which I can confirm using go-maven-resolver:
The dependency on
Not sure about |
Okay, it appears
Which in turn comes from the |
What's defined in |
@cammellos is this issue still relevant or can be closed? |
Still relevant I believe, we can check keycard if they updated though |
Any news about it? At this time, the latest version is 1.69. |
Currently we depend on version from Which is most probably because they are pulled in by different dependencies. I highly doubt we will EVER arrive at a setup where we only use the most recent verison. |
In relation #10335 (comment), the classpath 'com.android.tools.build:gradle:1.5.0' https://github.com/itinance/react-native-fs/blob/v2.18.0/android/build.gradle#L11 |
In addition to that the classpath 'com.android.tools.build:gradle:1.1.3' https://github.com/status-im/react-native-keychain/blob/v.3.0.0-status/android/build.gradle#L7 But that's our own fork, so it could be updated fairly easily... probably. Also classpath 'com.android.tools.build:gradle:1.3.1' https://github.com/react-native-dialogs/react-native-dialogs/blob/v1.1.0/android/build.gradle#L7 |
@jakubgs: Thanks for your replies! |
Maybe @cammellos might disagree, but I really don't think those older versions matter. Does it really matter if something like |
Closing as a stale issue; please, feel free to reopen if it matters from a technical POV. |
Dear @churik, It is not solved, always CVEs in your products! Currently, the last version of Bouncy Castle is 1.71. Please reopen this ticket and solve all vulnerabilities. |
As I said in #10335 (comment), do we really care? The only reason for caring is possibly the dependency of implementation 'org.bouncycastle:bcprov-jdk15on:1.60' https://github.com/status-im/react-native-status-keycard/blob/af61b021/android/build.gradle#L47 From a short skimming of the source code the only place it is actually used is in two files: Seems like quite the overkill to pull in such a big cryptographic library like BouncyCastle just to do hex decoding... But this is a question for Mobile team devs. But as far as I can tell we really should not care about these updates. I HIGHTLY doubt there are actually dangerous vulnerabilities in hex decoding/encoding. |
@churik: It is not solved: https://github.com/status-im/status-mobile/search?q=bouncycastle
|
We don't care. Our minimal usage of |
Based on comment in: The CVE-2020-15522 present in |
Please update Bouncy Castle
The text was updated successfully, but these errors were encountered: