Spring Security Spring security 6.1 : CVE-2024-29857, CVE-2024-34447 org.bouncycastle.bcpkix.jdk15on:1.70

Spring security 6.1 is in Enterprise support but we do need to update the dependency of org.bouncycastle.bcpkix.jdk15on to org.bouncycastle.bcpkix.jdk18on in order to be able to fix the CVE-2024-29857 and CVE-2024-34447.

CVE revealed by OWASP.

see : https://nvd.nist.gov/vuln/detail/CVE-2024-29857 and https://nvd.nist.gov/vuln/detail/CVE-2024-34447

Comment From: jzheaux

Thanks for this report, @gaetan-deltombe. Unfortunately, applying it to 6.1 won't achieve what you want due to https://github.com/spring-projects/spring-security/pull/15804#issuecomment-2354200654.

Please see that comment and feel free to file another ticket for later versions of Spring Security.