Issue2742

classification
Title: JARs for bouncycastle out of date
Type: security Severity: normal
Components: Versions:
Milestone: Jython 2.7.2
process
Status: pending Resolution: fixed
Dependencies: Superseder:
Assigned To: jeff.allen Nosy List: jeff.allen
Priority: normal Keywords: easy

Created on 2019-03-18.07:40:54 by jeff.allen, last changed 2019-05-12.13:02:19 by jeff.allen.

Messages
msg12372 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:40:53
Greg McDermott reports via Jython-dev (https://sourceforge.net/p/jython/mailman/message/36601045/):

-----------------------------------------------------------------------------
I see in your 2.7.1 release an old version of bouncycastle.

$  unzip -l jython-installer-2.7.1.jar  | grep bcp
    20354  2017-06-30 19:03   Lib/distutils/bcppcompiler$py.class
    14941  2017-06-30 19:03   Lib/distutils/bcppcompiler.py
   775948  2017-05-29 17:34   extlibs/bcpkix-jdk15on-1.57.jar
  3759724  2017-05-29 17:34   extlibs/bcprov-jdk15on-1.57.jar
   775948  2017-06-30 19:03   javalib/bcpkix-jdk15on-1.57.jar
  3759724  2017-06-30 19:03   javalib/bcprov-jdk15on-1.57.jar

are there plans to update to the latest, which is 1.6.1 currently. 
Can users simply update the jars directly for testing purposes,
or are other changes needed.

thanks
Greg
-----------------------------------------------------------------------------

We should update the JARs. Updating distutils (if that is implied) is perhaps riskier as that infrastructure may have been customised for Jython. (pip breaks if you allow it to update itself.)
msg12374 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:52:51
A quick look shows that Lib/distutils/bcppcompiler.py is unrelated to bouncycastle, so ignore that.

Just the JARs and a test. (Easy if that passes.)
msg12510 (view) Author: Jeff Allen (jeff.allen) Date: 2019-05-12.13:02:19
Fix now in at: https://hg.python.org/jython/rev/811692d463ac

Updating the JARs is easy, but now I get a regression on Java 7 (but not 8). At the moment, I don't understand why, so will add a skip citing #2770.
History
Date User Action Args
2019-05-12 13:02:19jeff.allensetstatus: open -> pending
resolution: accepted -> fixed
messages: + msg12510
2019-05-11 05:48:03jeff.allensetassignee: jeff.allen
2019-03-18 07:52:51jeff.allensetkeywords: + easy
resolution: accepted
messages: + msg12374
2019-03-18 07:40:54jeff.allencreate