Title: JARs for bouncycastle out of date
Type: security Severity: normal
Components: Versions:
Milestone: Jython 2.7.2
Status: open Resolution: accepted
Dependencies: Superseder:
Assigned To: Nosy List: jeff.allen
Priority: normal Keywords: easy

Created on 2019-03-18.07:40:54 by jeff.allen, last changed 2019-03-18.07:52:51 by jeff.allen.

msg12372 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:40:53
Greg McDermott reports via Jython-dev (

I see in your 2.7.1 release an old version of bouncycastle.

$  unzip -l jython-installer-2.7.1.jar  | grep bcp
    20354  2017-06-30 19:03   Lib/distutils/bcppcompiler$py.class
    14941  2017-06-30 19:03   Lib/distutils/
   775948  2017-05-29 17:34   extlibs/bcpkix-jdk15on-1.57.jar
  3759724  2017-05-29 17:34   extlibs/bcprov-jdk15on-1.57.jar
   775948  2017-06-30 19:03   javalib/bcpkix-jdk15on-1.57.jar
  3759724  2017-06-30 19:03   javalib/bcprov-jdk15on-1.57.jar

are there plans to update to the latest, which is 1.6.1 currently. 
Can users simply update the jars directly for testing purposes,
or are other changes needed.


We should update the JARs. Updating distutils (if that is implied) is perhaps riskier as that infrastructure may have been customised for Jython. (pip breaks if you allow it to update itself.)
msg12374 (view) Author: Jeff Allen (jeff.allen) Date: 2019-03-18.07:52:51
A quick look shows that Lib/distutils/ is unrelated to bouncycastle, so ignore that.

Just the JARs and a test. (Easy if that passes.)
Date User Action Args
2019-03-18 07:52:51jeff.allensetkeywords: + easy
resolution: accepted
messages: + msg12374
2019-03-18 07:40:54jeff.allencreate