Title: JARs for bouncycastle out of date
Type: security Severity: normal
Components: Versions:
Milestone: Jython 2.7.2
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: jeff.allen Nosy List: jeff.allen
Priority: normal Keywords: easy

Created on 2019-03-18.07:40:54 by jeff.allen, last changed 2019-07-21.05:46:53 by jeff.allen.

msg12372 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:40:53
Greg McDermott reports via Jython-dev (

I see in your 2.7.1 release an old version of bouncycastle.

$  unzip -l jython-installer-2.7.1.jar  | grep bcp
    20354  2017-06-30 19:03   Lib/distutils/bcppcompiler$py.class
    14941  2017-06-30 19:03   Lib/distutils/
   775948  2017-05-29 17:34   extlibs/bcpkix-jdk15on-1.57.jar
  3759724  2017-05-29 17:34   extlibs/bcprov-jdk15on-1.57.jar
   775948  2017-06-30 19:03   javalib/bcpkix-jdk15on-1.57.jar
  3759724  2017-06-30 19:03   javalib/bcprov-jdk15on-1.57.jar

are there plans to update to the latest, which is 1.6.1 currently. 
Can users simply update the jars directly for testing purposes,
or are other changes needed.


We should update the JARs. Updating distutils (if that is implied) is perhaps riskier as that infrastructure may have been customised for Jython. (pip breaks if you allow it to update itself.)
msg12374 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:52:51
A quick look shows that Lib/distutils/ is unrelated to bouncycastle, so ignore that.

Just the JARs and a test. (Easy if that passes.)
msg12510 (view) Author: Jeff Allen (jeff.allen) Date: 2019-05-12.13:02:19
Fix now in at:

Updating the JARs is easy, but now I get a regression on Java 7 (but not 8). At the moment, I don't understand why, so will add a skip citing #2770.
msg12598 (view) Author: Jeff Allen (jeff.allen) Date: 2019-07-21.05:46:53
Regression on Java 7 dos not seem a strong enough reason to keep this open.
Date User Action Args
2019-07-21 05:46:53jeff.allensetstatus: pending -> closed
messages: + msg12598
2019-05-12 13:02:19jeff.allensetstatus: open -> pending
resolution: accepted -> fixed
messages: + msg12510
2019-05-11 05:48:03jeff.allensetassignee: jeff.allen
2019-03-18 07:52:51jeff.allensetkeywords: + easy
resolution: accepted
messages: + msg12374
2019-03-18 07:40:54jeff.allencreate