Hi folks,

From: https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32412

Affected versions of this package are vulnerable to Unexpected Code Execution via the XMSS/XMSS^MT private key deserialization. A handcrafted private key could include references to unexpected classes which would be picked up from the class path for the executing application.

The recommendation is to use 1.60 at least.

This library uses PGPSecretKeyRingCollection(InputStream in) which is deprecated in 1.50-1.51 (https://github.com/bcgit/bc-java/blob/r1rv51/pg/src/main/java/org/bouncycastle/openpgp/PGPSecretKeyRingCollection.java#L48) and removed in 1.60 and 1.62 https://github.com/bcgit/bc-java/blob/r1rv62/pg/src/main/java/org/bouncycastle/openpgp/PGPSecretKeyRingCollection.java

Any chance you could do the adjustment soon?

Thanks

@craigwblake, I believe #144 should take care of this

Any ETA on releasing v1.2.9 with this fix?

Any ETA on releasing v1.2.9 with this fix?

Seconded! :)

This is also causing issues when using other gradle plugins that depend on newer 1.60+ versions of bouncycastle modules. Gradle's default dependency resolution of using the newest version (assuming that the libraries are backwards compatible) doesn't work in this case because the PGPSecretKeyRingCollection(InputStream in) method was removed.

Should be able to get a new release out today.

Should be able to get a new release out today.

Wonderful! Thank you so much!

Thank you for the release @craigwblake 👍 you 🎸