0.38.0 has high bouncycastle security vulnerability

Question

0.38.0 has high bouncycastle security vulnerability

BernhardLenz opened this issue a month ago · comments

Bernhard Lenz commented a month ago

According to mvnrepository, sshj version 0.38.0 uses org.bouncycastle:bcprov-jdk18on:jar:1.75.

However bouncycastle has a high security vulnerability:
https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6612984

Can you please release 0.39.0 with bounceycastle 1.78.1?

David Handermann · Answer 1 · Thu May 16 2024 05:02:46 GMT+0800 (China Standard Time)

I submitted pull request #945 to upgrade Bouncy Castle to 1.78.1. For projects depending on SSHJ, it is possible to override the transitive dependency version of bcprov-jdk18on.