https://bugzilla.redhat.com/show_bug.cgi?id=908428
This flaw does not affect EAP. The affected component is bcprov-jdk14-138.jar, which ships as part of the generic deployable zip (but not the EAP deployable zip). Setting this back to 6.0.1?.
Seems to be introduced by drools-verifier: [INFO] +- org.drools:drools-verifier:jar:6.1.0-SNAPSHOT:compile [INFO] | +- com.google.guava:guava:jar:13.0.1:compile [INFO] | \- com.lowagie:itext:jar:2.1.2:compile [INFO] | +- bouncycastle:bcmail-jdk14:jar:138:compile [INFO] | \- bouncycastle:bcprov-jdk14:jar:138:compile
After doing a "mvn dependency:tree" on all of droolsjbpm (non-full build though), we see that bouncycastle comes in only through itext. In turn, itext is used by drools-verifier and jfreechart (which is used by optaplanner and dashboard-builder etc).
*** Bug 1058459 has been marked as a duplicate of this bug. ***
Fixed on master: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/c8e8dffd42fb353b32327aef254ebc15460e6412 Fixed on 6.0.x: https://github.com/droolsjbpm/droolsjbpm-build-bootstrap/commit/87b099481ea3358142641077483fb12c323dfc29 PR for IP-bom: https://github.com/jboss-integration/jboss-integration-platform-bom/pull/44
Verified that the bcprov-jdk14 and bcmail-jdk14 jars are not present in the distribution zips. Once the Maven repo is available, I will verify also there.
Verified fixed in 6.0.1-CR1. The Maven repo does not contain any bcprov or bcmail artifacts.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-0371.html