Spring Cloud Netflix spring-cloud-starter-netflix-zuul:jar:2.2.7.RELEASE bcprov and bcprov version upgrade

Bug Details

We are using 2.2.7 the latest, just wanted to know why the bouncy castle version is not yet upgraded to 1.6.8(latest) considering the security vulnerability

spring-cloud-starter-netflix-zuul:jar:2.2.7.RELEASE is released 3 weeks back that also uses a bcprov version of 1.55

+- org.springframework.cloud: +- org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar:2.2.7.RELEASE:compile [INFO] | +- org.springframework.cloud:spring-cloud-netflix-zuul:jar:2.2.7.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-netflix-hystrix:jar:2.2.7.RELEASE:compile [INFO] | | | - org.springframework.boot:spring-boot-starter-aop:jar:1.5.22.RELEASE:compile [INFO] | | - org.apache.httpcomponents:httpclient:jar:4.5.9:compile [INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile [INFO] | | - commons-codec:commons-codec:jar:1.10:compile [INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.2.3.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.2.3.RELEASE:compile [INFO] | | | - org.springframework.security:spring-security-crypto:jar:4.2.13.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.2.3.RELEASE:compile [INFO] | | - org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile [INFO] | | - org.bouncycastle:bcprov-jdk15on:jar:1.55:compile

Added to that we have the bouncy castle higher version jars in jdk/jir/lib/ext which is introduced by our product during installation. So can we remove them from pom.xml (exclusion), and will there be an issue if the spring framework uses 1.68 in place of 1.55?

Comment From: OlgaMaciaszek

Was upgraded to 1.67 as part of https://github.com/spring-cloud/spring-cloud-netflix/commit/3bf50f3ef5a48bb99d4ceb5a874ef03868456900. Now have upgraded further to 1.68.