upgrading bouncycastle, xmlsec, commons-io to newer version
Sepideh Jafarimatak
Hi,
We currently using wildfly- 26.1.0.Final built using wildfly feature pack. Recently we were notified by our security team to upgrade to the latest version of poi-ooxml (5.2.2). this library has dependency to some of jars which is marked private in the module in wildfly.
1. Would it be safe to upgrade bouncycastle (bcpkix-jdk15on, bcutil-jdk15on, bcprov-jdk15on,…) to 1.70?
<module name="org.bouncycastle.bcutil" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="bcutil-jdk15on-1.69.jar"/>
</resources>
<dependencies>
<module name="org.bouncycastle.bcprov"/>
</dependencies>
</module>
2. Would it be safe to upgrade xmlsec to 2.3.0?
<module name="org.apache.santuario.xmlsec" xmlns="urn:jboss:module:1.9">
<exports>
<exclude path="javax/**"/>
</exports>
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="xmlsec-2.2.3.jar"/>
</resources>
<dependencies>
<!--WFLY-14219 Remove deprecated <module name="javax.api"/> -->
<module name="org.apache.commons.logging"/>
<module name="org.apache.commons.codec"/>
<module name="org.apache.xalan"/>
<module name="org.slf4j"/>
<module name="javax.xml.bind.api" services="import"/>
<module name="com.sun.xml.bind" services="import"/>
<module name="java.xml"/>
<module name="java.xml.crypto"/>
</dependencies>
</module>
3. Would it be safe to upgrade commons-io to 2.11.0?
<module name="org.apache.commons.io" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="commons-io-2.10.0.jar"/>
</resources>
</module>
I am asking this question because the module file for these libraries in wildfly is marked as a private dependency.
Appreciate your help.
Sepideh