Java Release 1.78.1 is now available for download

1.78/1.78.1 is a mixture of security release and feature release. 4 CVEs are dealt with, in addition to that a NullPointerException that could occur in the OcspCache has been dealt with, PEM parsing is more forgiving of whitespace, a small error in the CCM length check for large nonce-sizes has been fixed. An issue in the BCJSSE that could cause issues with HSMs has been fixed, GOST public key algorithm parameters now follow RFC 9215. By way of additions NTRU now supports NTRU-HPS4096-1229 and NTRU-HRSS-1373 and the provider now has support for Java 21's KEMSpi using NTRU and SNTRU Prime. Composite signatures have been brought into line with the latest RFC draft, support has been added for encryption key derivation using HKDF in CMS, and an implementation of the XWing Hybrid KEM construction has also been added. Finally a new API supporting RFC 9420 "The Message Layer Security Protocol" has been added.

Further details on other additions and bug fixes can be found in the 1.78.1 and 1.78 release notes files accompanying the release.

Security Notes

Release 1.78 deals with the following CVEs:

• CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
• CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.
• CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
• CVE-2024-"TBD" - When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed (we are still waiting on a CVE ID).

Download 1.78.1 or learn more in the release notes:

Download