From 903e5a3602aada24be011fe3b9fdf5dce1f421c2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 25 Nov 2025 19:52:39 +0000
Subject: [PATCH 1/3] Initial plan


From dbee2a97f11f1a26cc0bda97618f70921e406d59 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 25 Nov 2025 20:04:24 +0000
Subject: [PATCH 2/3] Update Bouncy Castle to fix CVE-2023-33201

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 657f56650b..6b43549db8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -776,8 +776,8 @@
 
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.70</version>
+            <artifactId>bcprov-jdk15to18</artifactId>
+            <version>1.74</version>
         </dependency>
 
         <!-- Kevin's fix for jar version conflicts. For future Benchmark 1.3 -->

From dae65626fb95e3b10fb8f350b96835f9723f18b5 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 25 Nov 2025 20:10:38 +0000
Subject: [PATCH 3/3] Exclude vulnerable Bouncy Castle transitive dependencies

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
---
 pom.xml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/pom.xml b/pom.xml
index 6b43549db8..8668c18657 100644
--- a/pom.xml
+++ b/pom.xml
@@ -670,6 +670,16 @@
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-core</artifactId>
             <version>${version.apacheds}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
@@ -730,6 +740,16 @@
             <groupId>org.apache.directory.server</groupId>
             <artifactId>apacheds-protocol-ldap</artifactId>
             <version>${version.apacheds}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk15on</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk15on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
@@ -780,6 +800,12 @@
             <version>1.74</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk15to18</artifactId>
+            <version>1.74</version>
+        </dependency>
+
         <!-- Kevin's fix for jar version conflicts. For future Benchmark 1.3 -->
         <dependency>
             <groupId>org.hibernate</groupId>