Skip to content

fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security]#153

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-org.bouncycastle-bcprov-jdk18on-vulnerability
Open

fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security]#153
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/maven-org.bouncycastle-bcprov-jdk18on-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
org.bouncycastle:bcprov-jdk18on (source) 1.821.84 age confidence

Bouncy Castle has an LDAP injection

CVE-2026-0636 / GHSA-c3fc-8qff-9hwx

More information

Details

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.

This issue affects BC-JAVA: from 1.74 before 1.84.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/RE:M/U:Amber

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Bouncy Castle Has Covert Timing Channel Vulnerability

CVE-2026-5598 / GHSA-p93r-85wp-75v3

More information

Details

Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java.

This issue only affects users of the FrodoKEM algorithm involved in the decryption of encapsulations.

This issue affects BC-JAVA: from 1.71 to 1.80.1, 1.81, 1.82 to 1.83.

Fixed versions: 1.80.2, 1.81.1, 1.84

Severity

  • CVSS Score: 8.9 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/S:P/AU:Y/U:Red

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks

CVE-2025-14813 / GHSA-574f-3g2m-x479

More information

Details

The GOST 28147-2015 CTR mode implementation (G3413CTRBlockCipher) in the Legion of the Bouncy Castle BC-JAVA bcprov core module only increments the final byte of the counter, so the counter wraps after 255 blocks and the keystream is reused. Reusing CTR keystream allows an attacker who can observe two ciphertexts produced with the same key/IV to recover the XOR of the plaintexts, breaking confidentiality. Affects BC-JAVA from 1.59 before 1.84 (with backported fixes in 1.80.2 and 1.81.1).

Severity

  • CVSS Score: 9.3 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/RE:M/U:Red

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security] fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate
renovate Bot deleted the renovate/maven-org.bouncycastle-bcprov-jdk18on-vulnerability branch April 27, 2026 17:46
@renovate renovate Bot changed the title fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security] - autoclosed fix(deps): update dependency org.bouncycastle:bcprov-jdk18on to v1.84 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate
renovate Bot force-pushed the renovate/maven-org.bouncycastle-bcprov-jdk18on-vulnerability branch 2 times, most recently from e3d730a to 9cdbe02 Compare April 27, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants