Skip to content

[GHSA-574f-3g2m-x479] Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks#8524

Open
simon-reisinger-dynatrace wants to merge 1 commit into
simon-reisinger-dynatrace/advisory-improvement-8524from
simon-reisinger-dynatrace-GHSA-574f-3g2m-x479
Open

[GHSA-574f-3g2m-x479] Bouncy Castle for Java GOST 28147 CTR mode reuses keystream after 255 blocks#8524
simon-reisinger-dynatrace wants to merge 1 commit into
simon-reisinger-dynatrace/advisory-improvement-8524from
simon-reisinger-dynatrace-GHSA-574f-3g2m-x479

Conversation

@simon-reisinger-dynatrace

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v4
  • Severity

Comments
Re-adding bcprov-jdk15on as proposed here. This is the legacy, unmaintained predecessor to bcprov-jdk15to18 and bcprov-jdk18on that was split into those two artifacts. As of now, Maven Central has no published 1.84 version for this package (see repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15on), so no fix version can be set.

Also had to patch the CVSS vector as it was malformed.

Copilot AI review requested due to automatic review settings July 7, 2026 07:54
@github-actions github-actions Bot changed the base branch from main to simon-reisinger-dynatrace/advisory-improvement-8524 July 7, 2026 07:55

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GHSA-574f-3g2m-x479 advisory metadata to reflect revised affected packages and scoring/severity information for the Bouncy Castle GOST 28147 CTR keystream-reuse issue.

Changes:

  • Updates the CVSS v4 vector and downgrades database_specific.severity from CRITICAL to HIGH.
  • Re-adds bcprov-jdk15on to the affected packages list.
  • Bumps the advisory modified timestamp.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

{
"package": {
"ecosystem": "Maven",
"name": "bcprov-jdk15on"

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoever has push rights, yes, this commit suggestion should be applied.

Comment on lines +453 to +462
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.59"
}
]
}
]

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maven Central does not yet list a published 1.84 version for this package. See repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15on. Therefore, we can't be sure whether a future 1.84 version would fix the vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants