fix(deps): update bouncycastle, log4j, activemq, and mina

[vlsi]

Description

Update four dependency groups to their latest stable releases. Each upgrade is a separate commit, with the Gradle dependency-verification metadata regenerated and the full test suite run green before committing.

Group	From	To	Scope
org.bouncycastle (bcmail/bcpkix/bcprov-jdk18on)	1.82	1.84	compile-only + test
org.apache.logging.log4j (log4j-1.2-api/api/core/slf4j2-impl)	2.25.3	2.26.0	runtime (shipped)
org.apache.activemq (activemq-broker/client/spring)	6.2.0	6.2.6	test
org.apache.mina (mina-core)	2.2.5	2.2.8	test

log4j and mina both expose a pre-release as their Maven release marker (3.0.0-beta3 and 3.0.0-M2). Those are major-version pre-releases, so this PR stays on the current stable lines.

Motivation and Context

Routine security maintenance: pick up the latest upstream security and bug fixes for the shipped logging stack (log4j) and the Bouncy Castle crypto provider, and keep the test-only message-broker and networking libraries current.

How Has This Been Tested?

For each group, in its own commit:

1. Bumped the version in the relevant BOM (src/bom-thirdparty/build.gradle.kts for bouncycastle and log4j; src/bom-testing/build.gradle.kts for activemq and mina).
2. Regenerated verification metadata with ./gradlew --console=plain --dependency-verification lenient -q --write-verification-metadata sha256,pgp dependencies. This refreshed gradle/verification-metadata.xml and, for log4j, src/dist/src/dist/expected_release_jars.csv.
3. Ran ./gradlew --quiet test — green for all four bumps.

All four groups verify through trusted PGP keys, so no per-jar checksums change. log4j is the only shipped artifact among them, so it is the only group that updates the expected-release-jar list.

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• My code follows the code style of this project.
• I have updated the documentation accordingly. (Version-only updates; no documentation change needed.)