There is a vulnerability in bcprov 1.65,upgrade recommended

[QiAnXinCodeSafe]

aws-encryption-sdk-java/pom.xml

Lines 49 to 53 in 913db60

	<dependency>
	<groupId>org.bouncycastle</groupId>
	<artifactId>bcprov-ext-jdk15on</artifactId>
	<version>1.65</version>
	</dependency>

CVE-2020-28052

Recommended upgrade version：
1.67

[seebees]

Thank you for the report.
We investigated this as soon as the CVE posted
and confirmed the AWS Encryption SDK for Java
does not use the impacted Bouncy Castle code.

We will continue to monitor our dependencies
and appreciate you reaching out.

[Neustradamus]

An update directly to 1.68 ^^

[Neustradamus]

Linked to:

• Please update Bouncy Castle aws-dynamodb-encryption-java#127

[lavaleri]

Thank you for the update. We plan to upgrade this dependency to the latest version as part of our next release.

I will update and close this ticket once we have released with the upgraded dependency.

[Neustradamus]

@WesleyRosenblum, @robin-aws: ping :)

[lavaleri]

This was upgraded as part of the 2.2.0 release. Thank you for the report!