Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-1289

CVE Vulnerability in latest version of MariaDB Connector/j

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 3.5.6
    • 3.5.7
    • None
    • None

    Description

      According to Maven Central, the latest version of MariaDB Connector/J includes a CVE vulnerability originating from its dependency on org.bouncycastle:bcpkix-jdk18on.
      I see that there is a pending PR that updates the version of bcpkix-jdk18on to address this issue. Do we know when this PR is expected to be merged?
      Also, the PR upgrades BouncyCastle to version 1.79, but Maven Central already contains newer versions of this library. Would it make more sense to update to the latest available version instead?

      Attachments

        Activity

          People

            diego dupin Diego Dupin
            Mysko Teodor Mysko
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.