Bump BouncyCastle from jdk15on to jdk15to18

jdk15on are not supported anymore since based development was moved from jsk15on to jdk18on. jdk15to18 contains fixed for: - CVE-2023-33201 - CVE-2022-45146 Signed-off-by: Andrey Pleskach <ples@aiven.io>
willyborankin · Jun 28, 2023 · feac2e2 · feac2e2
1 parent 317dd03
commit feac2e2
Show file tree

Hide file tree

Showing 22 changed files with 15 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -35,6 +35,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Bump `io.opencensus:opencensus-api` from 0.18.0 to 0.31.1 ([#7291](https://github.com/opensearch-project/OpenSearch/pull/7291))
 - OpenJDK Update (April 2023 Patch releases) ([#7344](https://github.com/opensearch-project/OpenSearch/pull/7344)
 - Bump `com.google.http-client:google-http-client:1.43.2` from 1.42.0 to 1.43.2 ([7928](https://github.com/opensearch-project/OpenSearch/pull/7928)))
+- Bump `org.bouncycastle:bcprov-jdk15on` to `org.bouncycastle:bcprov-jdk15to18` version 1.75 ([8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcmail-jdk15on` to `org.bouncycastle:bcmail-jdk15to18` version 1.75 ([8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+- Bump `org.bouncycastle:bcpkix-jdk15on` to `org.bouncycastle:bcpkix-jdk15to18` version 1.75 ([8247](https://github.com/opensearch-project/OpenSearch/pull/8247))
+
+
 
 ### Changed
 - [CCR] Add getHistoryOperationsFromTranslog method to fetch the history snapshot from translogs ([#3948](https://github.com/opensearch-project/OpenSearch/pull/3948))

diff --git a/buildSrc/version.properties b/buildSrc/version.properties
@@ -48,7 +48,7 @@ reactivestreams   = 1.0.4
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle=1.70
+bouncycastle=1.75
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.13.2

diff --git a/plugins/identity-shiro/build.gradle b/plugins/identity-shiro/build.gradle
@@ -28,7 +28,7 @@ dependencies {
 
   implementation 'org.passay:passay:1.6.3'
 
-  implementation "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
+  implementation "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
 
   testImplementation project(path: ':modules:transport-netty4') // for http
   testImplementation project(path: ':plugins:transport-nio') // for http

diff --git a/plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1 b/plugins/identity-shiro/licenses/bcprov-jdk15on-1.70.jar.sha1
diff --git a/plugins/identity-shiro/licenses/bcprov-jdk15to18-1.75.jar.sha1 b/plugins/identity-shiro/licenses/bcprov-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+df22e1b6a9f6b218913f5b68dd16641344397fe0
diff --git a/...shiro/licenses/bcprov-jdk15on-LICENSE.txt → ...iro/licenses/bcprov-jdk15to18-LICENSE.txt b/...shiro/licenses/bcprov-jdk15on-LICENSE.txt → ...iro/licenses/bcprov-jdk15to18-LICENSE.txt
diff --git a/...-shiro/licenses/bcprov-jdk15on-NOTICE.txt → ...hiro/licenses/bcprov-jdk15to18-NOTICE.txt b/...-shiro/licenses/bcprov-jdk15on-NOTICE.txt → ...hiro/licenses/bcprov-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/build.gradle b/plugins/ingest-attachment/build.gradle
@@ -71,9 +71,9 @@ dependencies {
   api "org.apache.pdfbox:fontbox:${versions.pdfbox}"
   api "org.apache.pdfbox:jempbox:1.8.17"
   api "commons-logging:commons-logging:${versions.commonslogging}"
-  api "org.bouncycastle:bcmail-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}"
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+  api "org.bouncycastle:bcmail-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcprov-jdk15to18:${versions.bouncycastle}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
   // OpenOffice
   api "org.apache.poi:poi-ooxml:${versions.poi}"
   api "org.apache.poi:poi:${versions.poi}"

diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcmail-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+b316bcd094e3917b1ece93a6edbab93f8315fb3b
diff --git a/...hment/licenses/bcmail-jdk15on-LICENSE.txt → ...ent/licenses/bcmail-jdk15to18-LICENSE.txt b/...hment/licenses/bcmail-jdk15on-LICENSE.txt → ...ent/licenses/bcmail-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcmail-jdk15on-NOTICE.txt → ...ment/licenses/bcmail-jdk15to18-NOTICE.txt b/...chment/licenses/bcmail-jdk15on-NOTICE.txt → ...ment/licenses/bcmail-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcpkix-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+f16e5252ad7a46d5eaf255231b0a5da307599082
diff --git a/...hment/licenses/bcpkix-jdk15on-LICENSE.txt → ...ent/licenses/bcpkix-jdk15to18-LICENSE.txt b/...hment/licenses/bcpkix-jdk15on-LICENSE.txt → ...ent/licenses/bcpkix-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcpkix-jdk15on-NOTICE.txt → ...ment/licenses/bcpkix-jdk15to18-NOTICE.txt b/...chment/licenses/bcpkix-jdk15on-NOTICE.txt → ...ment/licenses/bcpkix-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15on-1.70.jar.sha1
diff --git a/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1 b/plugins/ingest-attachment/licenses/bcprov-jdk15to18-1.75.jar.sha1
@@ -0,0 +1 @@
+df22e1b6a9f6b218913f5b68dd16641344397fe0
diff --git a/...hment/licenses/bcprov-jdk15on-LICENSE.txt → ...ent/licenses/bcprov-jdk15to18-LICENSE.txt b/...hment/licenses/bcprov-jdk15on-LICENSE.txt → ...ent/licenses/bcprov-jdk15to18-LICENSE.txt
diff --git a/...chment/licenses/bcprov-jdk15on-NOTICE.txt → ...ment/licenses/bcprov-jdk15to18-NOTICE.txt b/...chment/licenses/bcprov-jdk15on-NOTICE.txt → ...ment/licenses/bcprov-jdk15to18-NOTICE.txt
diff --git a/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy b/plugins/ingest-attachment/src/main/plugin-metadata/plugin-security.policy
@@ -35,9 +35,6 @@ grant {
   // needed to apply additional sandboxing to tika parsing
   permission java.security.SecurityPermission "createAccessControlContext";
 
-  // TODO: fix PDFBox not to actually install bouncy castle like this
-  permission java.security.SecurityPermission "putProviderProperty.BC";
-  permission java.security.SecurityPermission "insertProvider";
   // TODO: fix POI XWPF to not do this: https://bz.apache.org/bugzilla/show_bug.cgi?id=58597
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   // needed by xmlbeans, as part of POI for MS xml docs

diff --git a/test/fixtures/hdfs-fixture/build.gradle b/test/fixtures/hdfs-fixture/build.gradle
@@ -51,7 +51,7 @@ dependencies {
   api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   api "io.netty:netty-all:${versions.netty}"
   api 'com.google.code.gson:gson:2.10.1'
-  api "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+  api "org.bouncycastle:bcpkix-jdk15to18:${versions.bouncycastle}"
   api "com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:${versions.jackson}"
   api "com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}"
   api "com.fasterxml.woodstox:woodstox-core:${versions.woodstox}"