update third-party lib org.cryptacular to v 1.2.4 because openSAML 3.4.5 includes v1.1.3 with CVE-2020-7226

1 files changed, 7 insertions, 0 deletions

diff --git a/pom.xml b/pom.xml
index c9f7309a..33588b5d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,7 @@
     <org.springframework.version>5.2.8.RELEASE</org.springframework.version>
     <org.opensaml.version>3.4.5</org.opensaml.version>
     <org.apache.santuario.xmlsec.version>2.2.0</org.apache.santuario.xmlsec.version>
+    <org.cryptacular.version>1.2.4</org.cryptacular.version>
     <org.bouncycastle.bcprov-jdk15to18.version>1.67</org.bouncycastle.bcprov-jdk15to18.version>
     <org.bouncycastle.bctls-jdk15to18.version>1.67</org.bouncycastle.bctls-jdk15to18.version>
 
@@ -432,6 +433,12 @@
         <version>${org.apache.santuario.xmlsec.version}</version>
       </dependency>
       <dependency>
+        <!-- Set newer version, because 1.1.3 from openSAML dependency has an CVE-2020-7226 -->
+        <groupId>org.cryptacular</groupId>
+        <artifactId>cryptacular</artifactId>
+        <version>${org.cryptacular.version}</version>
+      </dependency>      
+      <dependency>
         <groupId>org.bouncycastle</groupId>
         <artifactId>bcprov-jdk15to18</artifactId>
         <version>${org.bouncycastle.bcprov-jdk15to18.version}</version>