This flaw does not affect EAP. The affected component is bcprov-jdk14-138.jar, which ships as part of the generic deployable zip (but not the EAP deployable zip). Setting this back to 6.0.1?.
Seems to be introduced by drools-verifier:
[INFO] +- org.drools:drools-verifier:jar:6.1.0-SNAPSHOT:compile
[INFO] | +- com.google.guava:guava:jar:13.0.1:compile
[INFO] | \- com.lowagie:itext:jar:2.1.2:compile
[INFO] | +- bouncycastle:bcmail-jdk14:jar:138:compile
[INFO] | \- bouncycastle:bcprov-jdk14:jar:138:compile
After doing a "mvn dependency:tree" on all of droolsjbpm (non-full build though), we see that bouncycastle comes in only through itext. In turn, itext is used by drools-verifier and jfreechart (which is used by optaplanner and dashboard-builder etc).
*** Bug 1058459 has been marked as a duplicate of this bug. ***
Fixed on master:
Fixed on 6.0.x:
PR for IP-bom:
Verified that the bcprov-jdk14 and bcmail-jdk14 jars are not present in the distribution zips. Once the Maven repo is available, I will verify also there.
Verified fixed in 6.0.1-CR1. The Maven repo does not contain any bcprov or bcmail artifacts.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.