Skip to content

fix(security): upgrade Bouncy Castle 1.81 → 1.84 (CVE-2025-14813)#36115

Closed
mcenkar wants to merge 1 commit into
dotCMS:mainfrom
mcenkar:main
Closed

fix(security): upgrade Bouncy Castle 1.81 → 1.84 (CVE-2025-14813)#36115
mcenkar wants to merge 1 commit into
dotCMS:mainfrom
mcenkar:main

Conversation

@mcenkar

@mcenkar mcenkar commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Similar to #35897 but it's still in com.dotcms.tika-25.07.10_lts_v12.jar

Upgrade contains no breaking changes: https://dist.apache.org/repos/dist/release/tika/3.3.1/CHANGES-3.3.1.txt

Can be verified by running ./mvnw -pl :com.dotcms.tika -am dependency:tree -Dincludes=org.bouncycastle

Before:

[INFO] --- dependency:3.6.0:tree (default-cli) @ com.dotcms.tika --- 
[INFO] com.dotcms.core.plugins:com.dotcms.tika:bundle:1.0.0-SNAPSHOT 
[INFO] \- org.apache.tika:tika-parsers-standard-package:jar:3.2.2:runtime
[INFO]    \- org.apache.tika:tika-parser-crypto-module:jar:3.2.2:runtime
[INFO]       +- org.bouncycastle:bcjmail-jdk18on:jar:1.81:runtime
[INFO]       |  \- org.bouncycastle:bcpkix-jdk18on:jar:1.81.1:runtime
[INFO]       |     \- org.bouncycastle:bcutil-jdk18on:jar:1.81.1:runtime
[INFO]       \- org.bouncycastle:bcprov-jdk18on:jar:1.81:runtime

After:

[INFO] --- dependency:3.6.0:tree (default-cli) @ com.dotcms.tika --- 
[INFO] com.dotcms.core.plugins:com.dotcms.tika:bundle:1.0.0-SNAPSHOT 
[INFO] \- org.apache.tika:tika-parsers-standard-package:jar:3.3.1:runtime
[INFO]    \- org.apache.tika:tika-parser-crypto-module:jar:3.3.1:runtime
[INFO]       +- org.bouncycastle:bcjmail-jdk18on:jar:1.84:runtime
[INFO]       |  \- org.bouncycastle:bcpkix-jdk18on:jar:1.84:runtime
[INFO]       |     \- org.bouncycastle:bcutil-jdk18on:jar:1.84:runtime
[INFO]       \- org.bouncycastle:bcprov-jdk18on:jar:1.84:runtime

@mcenkar
fix(security): upgrade Bouncy Castle 1.81 → 1.84 (CVE-2025-14813)
a9b8fa8 
Similar to dotCMS#35897 but it's still in com.dotcms.tika-25.07.10_lts_v12.jar

Upgrade contains no breaking changes: https://dist.apache.org/repos/dist/release/tika/3.3.1/CHANGES-3.3.1.txt

Can be verified by running ./mvnw -pl :com.dotcms.tika -am dependency:tree -Dincludes=org.bouncycastle

Before:
[INFO] --- dependency:3.6.0:tree (default-cli) @ com.dotcms.tika ---
[INFO] com.dotcms.core.plugins:com.dotcms.tika:bundle:1.0.0-SNAPSHOT
[INFO] \- org.apache.tika:tika-parsers-standard-package:jar:3.2.2:runtime
[INFO]    \- org.apache.tika:tika-parser-crypto-module:jar:3.2.2:runtime
[INFO]       +- org.bouncycastle:bcjmail-jdk18on:jar:1.81:runtime
[INFO]       |  \- org.bouncycastle:bcpkix-jdk18on:jar:1.81.1:runtime
[INFO]       |     \- org.bouncycastle:bcutil-jdk18on:jar:1.81.1:runtime
[INFO]       \- org.bouncycastle:bcprov-jdk18on:jar:1.81:runtime

After:
[INFO] --- dependency:3.6.0:tree (default-cli) @ com.dotcms.tika ---
[INFO] com.dotcms.core.plugins:com.dotcms.tika:bundle:1.0.0-SNAPSHOT
[INFO] \- org.apache.tika:tika-parsers-standard-package:jar:3.3.1:runtime
[INFO]    \- org.apache.tika:tika-parser-crypto-module:jar:3.3.1:runtime
[INFO]       +- org.bouncycastle:bcjmail-jdk18on:jar:1.84:runtime
[INFO]       |  \- org.bouncycastle:bcpkix-jdk18on:jar:1.84:runtime
[INFO]       |     \- org.bouncycastle:bcutil-jdk18on:jar:1.84:runtime
[INFO]       \- org.bouncycastle:bcprov-jdk18on:jar:1.84:runtime
@dsilvam

dsilvam commented Jun 11, 2026

Copy link
Copy Markdown
Member

This was already implemented and backported to 25.07.10 LTS. It's available on 25.07.10_lts_v12_6fa7199

@dsilvam dsilvam closed this Jun 11, 2026
@mcenkar

mcenkar commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Hi @dsilvam, it was only partially implemented, in mentioned tag - https://github.com/dotCMS/core/blob/v25.07.10_lts_v12/independent-projects/core-plugins/tika-plugin/pom.xml#L16 - it's still old version of tika - https://mvnrepository.com/artifact/org.apache.tika/tika-parser-crypto-module/3.2.2/dependencies - which pulls old bouncy castle. Also in main branch it's the same, old version.

@dsilvam dsilvam reopened this Jun 12, 2026
@mergify mergify Bot mentioned this pull request Jun 12, 2026
Merged
3 tasks
@dsilvam

dsilvam commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Member

Closing in favor of #36139 so the checks can run

@dsilvam dsilvam closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

dotCMS - Product Planning
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mcenkar @dsilvam