Hi elastic team!
In https://github.com/elastic/elasticsearch/issues/55145 @ikakavas mentioned you're using bouncycastle version 1.64. This matches what I've found in https://github.com/elastic/elasticsearch/blob/v7.7.0/buildSrc/version.properties#L30.
Also https://github.com/elastic/elasticsearch/blob/333a5d8cdf2783664d1d5a80d0b2534d6bbe635d/plugins/ingest-attachment/build.gradle#L55-L57 confirms this by using the version from the version properties file.
However, for instance in https://github.com/elastic/elasticsearch/blob/v7.7.0/distribution/tools/plugin-cli/build.gradle#L29-L30 instead of using the version from the version properties file, it's hardcoded to 1.0.3 and 1.0.1 respectively. This matches versions identified for bouncycastle-fips by our security scans.
Is that a bug or intentional? If it is intentional, why does it differ from the otherwise used version 1.64 as specified in the version properties file?
Looking forward to hear from you about this. Thanks in advance!
Best regards,
Josephine