We had the same Talk at Bsides Vienna :) Aaron
Torsten Gigler wrote: > Hi, > > and there has been a nice talk at the German OWASP Day: > https://www.owasp.org/images/4/4c/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf > > regards > Torsten > > 2015-12-15 2:14 GMT+01:00 L. Aaron Kaplan <[email protected] > <mailto:[email protected]>>: > > > FYI > > > > Begin forwarded message: > > > > From: Luciano Bello <[email protected] <mailto:[email protected]>> > > Subject: [SECURITY] [DSA 3417-1] bouncycastle security update > > Date: 14 Dec 2015 13:51:06 CET > > To: [email protected] <mailto:[email protected]> > > Resent-From: [email protected] > <mailto:[email protected]> (Mailing List Manager) > > Resent-Cc: recipient list not shown: ; > > Reply-To: [email protected] > <mailto:[email protected]> > > > > Signed PGP part > > > ------------------------------------------------------------------------- > > Debian Security Advisory DSA-3417-1 > [email protected] <mailto:[email protected]> > > https://www.debian.org/security/ > Luciano Bello > > December 14, 2015 > https://www.debian.org/security/faq > > > ------------------------------------------------------------------------- > > > > Package : bouncycastle > > CVE ID : CVE-2015-7940 > > Debian Bug : 802671 > > > > Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz > > Institute for IT Security, published a paper in ESORICS 2015 where > they > > describe an invalid curve attack in Bouncy Castle Crypto, a Java > library > > for cryptography. An attacker is able to recover private Elliptic > Curve > > keys from different applications, for example, TLS servers. > > > > More information: > > > > http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html > > Practical Invalid Curve Attacks on TLS-ECDH: > > http://euklid.org/pdf/ECC_Invalid_Curve.pdf > > > > For the oldstable distribution (wheezy), this problem has been fixed > > in version 1.44+dfsg-3.1+deb7u1. > > > > For the stable distribution (jessie), this problem has been fixed in > > version 1.49+dfsg-3+deb8u1. > > > > For the unstable distribution (sid), this problem has been fixed in > > version 1.51-2. > > > > We recommend that you upgrade your bouncycastle packages. > > > > Further information about Debian Security Advisories, how to apply > > these updates to your system and frequently asked questions can be > > found at: https://www.debian.org/security/ > > > > Mailing list: [email protected] > <mailto:[email protected]> > > > > > > _______________________________________________ > Ach mailing list > [email protected] <mailto:[email protected]> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach > > > _______________________________________________ > Ach mailing list > [email protected] > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
