FYI
> Begin forwarded message: > > From: Luciano Bello <[email protected]> > Subject: [SECURITY] [DSA 3417-1] bouncycastle security update > Date: 14 Dec 2015 13:51:06 CET > To: [email protected] > Resent-From: [email protected] (Mailing List Manager) > Resent-Cc: recipient list not shown: ; > Reply-To: [email protected] > > Signed PGP part > ------------------------------------------------------------------------- > Debian Security Advisory DSA-3417-1 [email protected] > https://www.debian.org/security/ Luciano Bello > December 14, 2015 https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : bouncycastle > CVE ID : CVE-2015-7940 > Debian Bug : 802671 > > Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz > Institute for IT Security, published a paper in ESORICS 2015 where they > describe an invalid curve attack in Bouncy Castle Crypto, a Java library > for cryptography. An attacker is able to recover private Elliptic Curve > keys from different applications, for example, TLS servers. > > More information: > http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html > Practical Invalid Curve Attacks on TLS-ECDH: > http://euklid.org/pdf/ECC_Invalid_Curve.pdf > > For the oldstable distribution (wheezy), this problem has been fixed > in version 1.44+dfsg-3.1+deb7u1. > > For the stable distribution (jessie), this problem has been fixed in > version 1.49+dfsg-3+deb8u1. > > For the unstable distribution (sid), this problem has been fixed in > version 1.51-2. > > We recommend that you upgrade your bouncycastle packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: [email protected] > > _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
