Your message dated Sun, 06 Dec 2015 01:19:15 +0000 with message-id <e1a5nyt-0000em...@franck.debian.org> and subject line Bug#802671: fixed in bouncycastle 1.51-2 has caused the Debian Bug report #802671, regarding CVE-2015-7940: bouncycastle: ECC private keys can be recovered via invalid curve attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 802671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bouncycastle Version: 1.44+dfsg-2 Severity: serious Tags: security Control: fixed -1 1.51-1 Hello, bouncycastle 1.49 in stable/testing/unstable (and 1.44 in wheezy/squeeze) is vulnerable to an invalid curve attack as described here: https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html This is fixed in version 1.51 (in experimental). The upstream patches that fix this issue should be those ones: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a A CVE has been requested here: http://www.openwall.com/lists/oss-security/2015/10/22/7 -- System Information: Debian Release: stretch/sid APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.51-2 We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 802...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 Dec 2015 00:34:19 +0100 Source: bouncycastle Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc Architecture: source Version: 1.51-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta libbcpg-java - Bouncy Castle generators/processors for OpenPGP libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation) libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document libbcprov-java - Bouncy Castle Java Cryptographic Service Provider libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation) Closes: 798343 799007 802671 Changes: bouncycastle (1.51-2) unstable; urgency=medium . * Team upload. * Upload to unstable. (Closes: #799007) * The new upstream release 1.51 fixes CVE-2015-7940. (Closes: #802671) * Declare compliance with Debian Policy 3.9.6. * Vcs-Browser: Use https. * Add fix-encoding.patch. This prevents an error when creating javadoc which would otherwise lead to empty -doc packages. Drop 01_build.patch because it once tried to accomplish the same but it is obsolete now. Thanks to dean for the report. (Closes: #798343) Checksums-Sha1: 78558778214b1cd34438b25a16a3657e22972702 2662 bouncycastle_1.51-2.dsc febdf5b551d4ca7d5ac64c0cf54b8ea492ddf243 9596 bouncycastle_1.51-2.debian.tar.xz Checksums-Sha256: 0575ddd82dbdf3957efa4b3d4def9cbddd7baa1b3354d40f546f9aced08c4b75 2662 bouncycastle_1.51-2.dsc 8373101dc7d7c3fd1a61eef0169b996cd902637d7950238a35b9a45aabc377a0 9596 bouncycastle_1.51-2.debian.tar.xz Files: a465b952faecf683151896c687425731 2662 java optional bouncycastle_1.51-2.dsc de1247914c7ebb4f07fac70d578fd6fa 9596 java optional bouncycastle_1.51-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJWY3fhXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkCp0P/j8+kaq15VGLMWE9kZPrZoJj ygySkSc2NNzN1vmg7POsy5cQRyakgVxkfIkiBLOemzCVxaIjrlhrZM6OFvgyxFLD I/5bRyl70UszwCyrVQzyex+WCm5hc9BfvFktFaVl3pRUEDQwQUk9tTRwMtJ6673N zTasR8xrLYHA+PZr0SpX4Vpt6qka4YY3rINEcvW7qka0/Sl+P1zkl8tN9DWCzl2y yikOF4Zm/tgoPLGuNqoUO+RIuvT4TQ45+y6S6C5wYy/3FMAN/TejsJ8QTM31iFdJ VoQdGAAeP0Hp6TFC/Ma2G1ELl5KCO+N0smDe8EX1dMgNPQ5CKas3pwwB5ffXtioU d+9QWl0VlhTV1o2RdZARoa6tanr+3jWXQokeo5cPoyBl8QGLY0KlgZ8lIOFHgh41 A1ZPXdcEqb7DbiKFlrfb/I8hLXfDAhoh5+6mmRSMUSwvfXlgnd10dTM7uYj2sBCE xzdYfcCOKzowBXPAErXmBoNnjiMzYI35Q4NSIaROwNhvj7wdw3cq+Kzbi9Gmalc3 rqH00AW80hOeRV3OtWIqP2bvJGO+Iw4dWEe+iVRk+286otJZtBgTystutlKObmrh Ft3KYgsV3faBCEWM8gD7sLwq8Z12A1CcRWfaEKJaAVs/v2+tC4RTeFyiUL4qNott wrU99sk4WOTj7AJGlJVF =QGWe -----END PGP SIGNATURE-----
--- End Message ---
