HADOOP-19866. Upgrade bouncycastle to 1.84 for security

[pjfanning]

Description of PR

https://issues.apache.org/jira/browse/HADOOP-19866

https://www.bouncycastle.org/download/bouncy-castle-java/#release-notes

CVE-2025-14813 - GOSTCTR implementation unable to process more than 255 blocks correctly.
CVE-2026-0636 - LDAP Injection Vulnerability in LDAPStoreHelper.java.
CVE-2026-3505 - Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.
CVE-2026-5588 - PKIX draft CompositeVerifier accepts empty signature sequence as valid.
CVE-2026-5598 - Non-constant time comparisons risk private key leakage in FrodoKEM.

How was this patch tested?

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

AI Tooling

If an AI tool was used:

• The PR includes the phrase "Contains content generated by "
  where is the name of the AI tool used.
• My use of AI contributions follows the ASF legal policy
  https://www.apache.org/legal/generative-tooling.html

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	13m 0s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	markdownlint	0m 0s		markdownlint was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	1m 42s		Maven dependency ordering for branch
+1 💚	mvninstall	40m 51s		trunk passed
+1 💚	compile	15m 56s		trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	compile	16m 24s		trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	mvnsite	18m 25s		trunk passed
+1 💚	javadoc	9m 42s		trunk passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javadoc	9m 28s		trunk passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	shadedclient	45m 33s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 31s		Maven dependency ordering for patch
+1 💚	mvninstall	35m 17s		the patch passed
+1 💚	compile	16m 2s		the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javac	16m 2s		the patch passed
+1 💚	compile	16m 21s		the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	javac	16m 21s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	18m 6s		the patch passed
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	9m 39s		the patch passed with JDK Ubuntu-21.0.10+7-Ubuntu-124.04
+1 💚	javadoc	9m 34s		the patch passed with JDK Ubuntu-17.0.18+8-Ubuntu-124.04.1
+1 💚	shadedclient	47m 25s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	760m 59s	/patch-unit-root.txt	root in the patch failed.
+1 💚	asflicense	1m 54s		The patch does not generate ASF License warnings.
		1052m 37s

Reason	Tests
Failed junit tests	hadoop.yarn.service.TestYarnNativeServices

Subsystem	Report/Notes
Docker	ClientAPI=1.54 ServerAPI=1.54 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8443/1/artifact/out/Dockerfile
GITHUB PR	#8443
Optional Tests	dupname asflicense mvnsite codespell detsecrets markdownlint compile javac javadoc mvninstall unit shadedclient xmllint shellcheck shelldocs
uname	Linux ecb8e0556e61 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 379a1ef
Default Java	Ubuntu-17.0.18+8-Ubuntu-124.04.1
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.10+7-Ubuntu-124.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.18+8-Ubuntu-124.04.1
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8443/1/testReport/
Max. process+thread count	3588 (vs. ulimit of 10000)
modules	C: hadoop-project hadoop-cloud-storage-project/hadoop-cos . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8443/1/console
versions	git=2.43.0 maven=3.9.11 shellcheck=0.9.0
Powered by	Apache Yetus 0.14.1 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

test failure is TestYarnNativeServices.testCreateServiceWithPlacementPolicy

yarn service not listening. assuming a flaky test. if there was a major incompatiblity from bouncycastle, it'd be more widespread.

[steveloughran]

+1

[steveloughran]

thanks.
Does it backport (i.e. is it java 8 compatible?). If so, let's do that.

That's a lot of CVEs...possibly a side effect of the uptick in AI-assist CVE discovery.

We have to view every dependency as a CVE subscription, and bring those versions up to date.

The yarn NPM stuff is something that someone needs to maintain, and nobody does. What if we just treat dependabot as the submitter and don't rely on any human submission. Instead just create a matching Hadoop/yarn/.. jira, change the title and merge?

[pjfanning]

@steveloughran we use the Java 1.8 compatible bouncycastle jars still. I'll create a backport for 3.4 branch tonight.