Replies: 8 comments
-
|
Hi is there any updated status on on this CVE? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, when can we expect a bc-fips version which above CVE fixed? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, we're in the process of getting the GCM fix in 2.1.3 (available in the betas area) through certification. Note: the issue applies to decryption only, it doesn't affect single message decryption though, and only some chunked message decryptions. |
Beta Was this translation helpful? Give feedback.
-
|
@dghgit any time-line for bc-fips 2.1.3 rollout? |
Beta Was this translation helpful? Give feedback.
-
|
https://www.bouncycastle.org/betas now has the submission jars on it. Still no timeline but we're doing ops testing on Monday, hoping submission will follow soon after. Should have a timeline then. |
Beta Was this translation helpful? Give feedback.
-
|
Hi everyone, We found another issue prior to the ops testing. I've just uploaded a new version to https://www.bouncycastle.org/betas sha256 - f36d0db058a22e0f77dab33b97890a0f990779655326e7b73d548ba01ac58b5a bc-fips-2.1.3.zip |
Beta Was this translation helpful? Give feedback.
-
|
Hi, we've now also received some CVE reports, they have also been addressed as part of this update. We're going to need to redo the ops testing, but that should be done in the next 24 hours. Please ensure you move to the release on: https://downloads.bouncycastle.org/betas/ It is as well hardened as it is likely to get. sha256 476922bcbf98f7e049e97fad4cbd65cb7f8057f0325ddcdbe5d3ddf0d572aa03 bc-fips-2.1.3.zip We would also like to acknowledge the support of Anthropic in getting this done in such a timely manner. |
Beta Was this translation helpful? Give feedback.
-
|
sha256 489412e6b1cbd33127fc0c8757a87269f2e8c48f2a513772748884ff325344f0 bc-fips-2.1.3.zip We realized there was one issue still not patched. This distribution also includes the debug version. If someone, or rather someones, would try this out and confirm it's working for them it would be greatly appreciated. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
In our org, we are currently using org.bouncycastle:bc-fips:2.1.2 and noticed the recently published advisory for CVE-2026-8149 / GHSA-mx76-r943-rf8g.
Could you please share:
whether a patched GA release for bc-fips is planned,
the expected version number,
and if there is an estimated timeline for availability?
We also noticed references to 2.1.3-SNAPSHOT, so we wanted to confirm whether an official production-ready release is expected soon.
Thank you for your help and for maintaining the project.
Beta Was this translation helpful? Give feedback.
All reactions