Update BouncyCastle to latest version

[ahmadreza-hadidi]

Hi, @junian Thank you for your good work Please update BouncyCastle to latest version because of vulnerability in older versions

[junian]

Hi @ahmadreza-hadidi, Can you give reference which vulnerability?

[kfrancis]

https://github.com/advisories/GHSA-8xfc-gm6g-vgpv https://github.com/advisories/GHSA-v435-xc8x-wvr9 https://github.com/advisories/GHSA-8xfc-gm6g-vgpv

You're also using a forked version, it looks like. Can you please use the standard version? https://www.nuget.org/packages/BouncyCastle.Cryptography

They updated it to remove the need to use the portable version when they depreciated the BouncyCastle.Crypto version.

[kfrancis]

https://www.nuget.org/packages/BouncyCastle

[kfrancis]

I do understand that you're using 1.9.0, but there's an official package so you don't need to reference the external repo.

[kfrancis]

This is the other reason why it's important. Can't use packages with vulnerabilities, and can't use the standard library because yours brings in a transitive reference:

I've put a pull request together to fix all that up.

[kfrancis]

@junian Have you had a chance to check the pull request?

[junian]

Thank you. I'll review it soon.

[kfrancis]

Appreciate it. It's somewhat urgent.

[junian]

Thank you @kfrancis for the contribution, it's being validated on NuGet right now, should be available soon.

[kfrancis]

The release works great, thank you. Also, I can confirm that the change in BouncyCastle doesn't require a change in existing licenses - they work as is.