mirrored from https://www.bouncycastle.org/repositories/bc-java
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CVE‐2024‐34447
David Hook edited this page May 11, 2024
·
1 revision
Issue affecting: BC TLS Java 1.0.18 and earlier. BC FIPS TLS Java 1.0.18 and earlier.
Fixed versions: BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6). BC FIPS TLS Java 1.0.19.
Platform affected: All JVMs.
When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address.
See also discussion in:
https://github.com/bcgit/bc-java/issues/1656
Fix Commit:
https://github.com/bcgit/bc-java/commit/c47f6444a744396135322784b5fea1d35d46a8a7