Bug #19211
closed
Some java dependencies have security warning and should be updated
Description
We have some dependencies that yields security warnings. Even if none are impacting us critically, we should update dependencies:
- bcprov-jdk15on-1.65.jar
- commons-io-2.6.jar
- postgresql-42.2.12.jar
- spring-*-5.2.5.RELEASE.jar
- spring-security-*-5.3.1.RELEASE.jar
Updated by François ARMAND over 3 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by Alexis Mousset over 3 years ago
In particular CVE-2020-28052 in Bouncy Castle makes the local (bcrypt-based) user authentication vulnerable to brute force.
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
An attacker must brute-force password attempts until the bypass is triggered. Our experiments show that 20% of tested passwords were successfully bypassed within 1,000 attempts. Some password hashes take more attempts, determined by how many bytes lie between 0 and 60 (1 to 59). Further, our investigation shows that all password hashes can be bypassed with enough attempts. In rare cases, some password hashes can be bypassed with any input.
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
Updated by François ARMAND over 3 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/3611
Updated by François ARMAND over 3 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|2a02c043791e5e7094a4c4efb6bb198794a25e0c.
Updated by Alexis Mousset over 3 years ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ over 3 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.1.13 and 6.2.7 which were released today.