0.38.0 has high bouncycastle security vulnerability
BernhardLenz opened this issue · comments
Bernhard Lenz commented
According to mvnrepository, sshj version 0.38.0 uses org.bouncycastle:bcprov-jdk18on:jar:1.75.
However bouncycastle has a high security vulnerability:
https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6612984
Can you please release 0.39.0 with bounceycastle 1.78.1?
David Handermann commented
I submitted pull request #945 to upgrade Bouncy Castle to 1.78.1. For projects depending on SSHJ, it is possible to override the transitive dependency version of bcprov-jdk18on.