Skip to content

CVE-2023-33201 - new Encryption SDK release? #1669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mrwilby opened this issue Jun 23, 2023 · 1 comment
Closed

CVE-2023-33201 - new Encryption SDK release? #1669

mrwilby opened this issue Jun 23, 2023 · 1 comment
Labels
pending release Code is merged but has not been pushed to Maven.

Comments

@mrwilby
Copy link

mrwilby commented Jun 23, 2023

This library appears to depend upon a vulnerable release of bouncy castle (BC).

Is it possible to bump the dependencies to a patched BC version and release a new artifact?

https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
@texastony texastony mentioned this issue Jun 23, 2023
Merged
1 task
@texastony texastony added the pending release Code is merged but has not been pushed to Maven. label Jun 26, 2023
@josecorella
Copy link
Contributor

Hello @mrwilby

We have released AWS ESDK Java 2.4.1, which includes an update to the bouncy castle dependency to no longer depend on a vulnerable version.

AWS Crypto Tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending release Code is merged but has not been pushed to Maven.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrwilby @texastony @josecorella