Bump bouncycastle from 1.77 to 1.78

[reta]

Description

Bump bouncycastle from 1.77 to 1.78

Related Issues

N/A

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Failing checks are inspected and point to the corresponding known issue(s) (See: Troubleshooting Failing Builds)
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)
• Public documentation issue/PR created

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❕ Gradle check result for ac93409: UNSTABLE

• TEST FAILURES:

      2 org.opensearch.cluster.coordination.AwarenessAttributeDecommissionIT.testConcurrentDecommissionAction

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.44%. Comparing base (b15cb0c) to head (ac93409).
Report is 179 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #13243      +/-   ##
============================================
+ Coverage     71.42%   71.44%   +0.02%     
- Complexity    59978    60654     +676     
============================================
  Files          4985     5040      +55     
  Lines        282275   285432    +3157     
  Branches      40946    41335     +389     
============================================
+ Hits         201603   203924    +2321     
- Misses        63999    64678     +679     
- Partials      16673    16830     +157     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mwilso3]

OS 1.3.x is currently on BC 1.75 which is vulnerable to a few new CVEs (CVE-2024-30172, CVE-2024-30171 and CVE-2024-29857).

Would it be possible to backport these BC upgrades to 1.3.x?

[dblock]

@bbarani any reason not to backport these?

@mwilso3 want to help?

[reta]

@dblock I think we could backport but we need to make changes in lockstep with security plugin, there were a few changes in permissions that have to be brought in.

[dblock]

Thanks @reta, @mwilso3 what is the sev for the CVEs? I think we only backport highs and criticals to 1.x, so the verdict is yes, but you'll have to do the work. Let us know how we can help.

[bbarani]

@bbarani any reason not to backport these?

@mwilso3 want to help?

I don't see any issues in backporting CVE's to 1.x and 1.3 branch. Keep in mind, some of the library updates will require additional work in actual code apart from version bump.

[mwilso3]

One of the CVEs is high, other two are medium.

we need to make changes in lockstep with security plugin, there were a few changes in permissions that have to be brought in.

Happy to do the work however haven't worked in the OS codebase so might need some guidance or elaboration on the above. I'll get started on the backport and reach out with any issues.