[bisq-network/bisq] Update BouncyCastle to v1.67 (Issue #6128)
alkum
notifications at github.com
Sun Apr 3 19:29:22 CEST 2022
We are currently using[^6] BouncyCastle v1.63.
However, that version has at least one known CVE vulnerability[^7].
Attempts to update BC have been discussed in the past (https://github.com/bisq-network/bisq/issues/4163) and its a delicate balance between
a) staying with an older version, but which is more widely used and more robustly tested, and
b) updating to a new version, which potentially brings in new not-yet-discovered bugs
Since there are known CVEs for the version we use, I figured this is worth re-visiting.
So, as a compromise between the two, I suggest we update to the _oldest version without known CVEs_. This way we get rid of any known CVEs, but we're also conservative with the version we adopt.
The _oldest version without known CVEs_ is v1.67 (see below).
Please feel free to upvote / downvote this, or post your pro / con thoughts below. Thanks.
---
**Finding oldest version without known CVEs**
I looked this up in different sources, just to be sure. They all pointed to v1.67:
* The maven repo lists known CVEs for all BC versions up to v1.66[^2]. The oldest version listed without known CVEs is v1.67.
* The newest security advisory from BC release notes [^1] is regarding v1.65 and v1.66, recommending to update to v1.67.
* Searching the CVE DB[^3] according to their recommendations[^4] also points to the latest CVE[^5] being the one found on v1.65/v1.66 and recommending upgrade to v1.67.
---
**Tasks**
- [ ] Update BC in https://github.com/bisq-network/bitcoinj
- [ ] Update Bisq to use upgraded bitcoinj
- [ ] Update BC in Bisq repo
[^1]: https://www.bouncycastle.org/releasenotes.html
[^2]: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on
[^3]: Using the GitHub advanced search query "bouncycastle repo:CVEproject/cvelist extension:json"
[^4]: https://cve.mitre.org/find/search_tips.html
[^5]: https://github.com/CVEProject/cvelist/blob/master/2020/28xxx/CVE-2020-28052.json
[^6]: https://github.com/bisq-network/bisq/blob/290ff8e607f7fe035e11da721989930afe0827df/build.gradle#L34
[^7]: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.63
--
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/issues/6128
You are receiving this because you are subscribed to this thread.
Message ID: <bisq-network/bisq/issues/6128 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20220403/ce097432/attachment-0001.htm>
More information about the bisq-github
mailing list