Your message dated Tue, 08 Dec 2015 11:19:28 +0000
with message-id <e1a6giq-0003jh...@franck.debian.org>
and subject line Bug#802671: fixed in bouncycastle 1.44+dfsg-2+deb6u1
has caused the Debian Bug report #802671,
regarding CVE-2015-7940: bouncycastle: ECC private keys can be recovered via
invalid curve attack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
802671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bouncycastle
Version: 1.44+dfsg-2
Severity: serious
Tags: security
Control: fixed -1 1.51-1
Hello,
bouncycastle 1.49 in stable/testing/unstable (and 1.44 in wheezy/squeeze)
is vulnerable to an invalid curve attack as described here:
https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
This is fixed in version 1.51 (in experimental).
The upstream patches that fix this issue should be those ones:
https://github.com/bcgit/bc-java/commit/5cb2f05
https://github.com/bcgit/bc-java/commit/e25e94a
A CVE has been requested here:
http://www.openwall.com/lists/oss-security/2015/10/22/7
-- System Information:
Debian Release: stretch/sid
APT prefers squeeze-lts
APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'),
(500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Source: bouncycastle
Source-Version: 1.44+dfsg-2+deb6u1
We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 802...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hert...@debian.org> (supplier of updated bouncycastle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 22 Oct 2015 12:05:19 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc
libbctsp-java libbctsp-java-doc libbcpg-java libbcpg-java-doc
libbcprov-java-gcj libbcmail-java-gcj libbctsp-java-gcj libbcpg-java-gcj
Architecture: source all amd64
Version: 1.44+dfsg-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hert...@debian.org>
Description:
libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
libbcmail-java-doc - Documentation for libbcmail-java
libbcmail-java-gcj - Bouncy Castle generators/processors for S/MIME and CMS
libbcpg-java - Bouncy Castle generators/processors for OpenPGP
libbcpg-java-doc - Documentation for libbcpg-java
libbcpg-java-gcj - Bouncy Castle generators/processors for OpenPGP
libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
libbcprov-java-doc - Documentation for libbcprov-java
libbcprov-java-gcj - Bouncy Castle Java Cryptographic Service Provider
libbctsp-java - Bouncy Castle generators/processors for TSP
libbctsp-java-doc - Documentation for libbctsp-java
libbctsp-java-gcj - Bouncy Castle generators/processors for TSP
Closes: 802671
Changes:
bouncycastle (1.44+dfsg-2+deb6u1) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* CVE-2015-7940: fix invalid curve attack as described in
http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
Closes: #802671
* Add ant-optional to Build-Depends to be able to run the test suite during
build.
Checksums-Sha1:
61faa349babb7fcdb768fa6bf7c583015911cd32 1930
bouncycastle_1.44+dfsg-2+deb6u1.dsc
78cde78db9930fd1a84f50c21a654af4accb008f 19167
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
5a7e3aaee20a5f67cbfac34f9d4cd4cf14ddd0ed 1383358
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
8e70a0e8b3b729f7241d118be929c5a81f627058 1691634
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
531b27c880e071294a348c25a2f5d417366c06bf 237960
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
df70ba2e33a1466a2d2993db7cc89a9aae961368 189362
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
c106b8f045f36c575d496aecedf5c53b4f0841d7 69160
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
a5191e72b6992502fb80c2ec886c3dd9a2c58369 30892
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
a256a5c08450b5ee8071e4eb3f6cc84b2c670978 186982
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
1be6f56081f2ae0f88bb325d40ab7d50079cb876 157068
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
c2e2d670c3ef7bc4092c075826480c8584b0c8d6 2140766
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
3f9d5de9aa6b0dc375b364e88d3680168309b009 278498
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
00849b4a0ec74e2f36e49ef60ec2a42d12f2e4a7 38506
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
4b04465b2afb045c9900ef172552c0e1c74f0c88 239292
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
Checksums-Sha256:
429048e95c5ce48f99771391ece1618c0bbf5ad223f72c1580aee0032e18adc2 1930
bouncycastle_1.44+dfsg-2+deb6u1.dsc
53111f669aea3b5470649e1bcf2cc72ebd21d2e57d420a634b1df503978e63be 19167
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
f6a22ab9bfc71eeae51f67db60e279fe36dc74c8783b0e7677060874152e651b 1383358
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
051e589be0fd384016e47b20e8f5adb6fbed7e2c0b414e983e8ee285690b772d 1691634
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
91c5680cc9a8f6b16385d7a1696fdbb538801b2585bd8f8e5f6e4362f8b7d032 237960
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
cd649d1e84c1e60b601e4c5484a9d0ba9b203d3f206f8f339dd76f44aefe5a72 189362
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
3d5ad4d4e21382fd5113de79485fa546d109e217c3e488debbdced421c99ff89 69160
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
9e848ad5c814483f0cd29f5f0317e73d2c3f19f0d4c0edefac2bd7d3cf7b348c 30892
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
57fc1fec42bfa84736d8babb98c2ba4146ec57edd42b9ec20302226e4183f151 186982
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
2b0d8f6a71830cda7a5a3787414c42123cc1f9875245fe46755afbda0da2ec34 157068
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
e5feef0372d8cadb1d65556b43a288ce14bea9798b573158c1ccca674cea569e 2140766
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
ada6428f0ecdd4b2819d86fa26f0842488459e2807b430bba0245e29621090f3 278498
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
0eb5ecef9243e69894c821eebfff5c21101cb84f5e7dd8c06d8b8e9116f637e4 38506
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
5aff6931318c540c37ed89be0905dfaabd5f67d836863c7401a53eb611cd038e 239292
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
Files:
57b4ab92db9e09eb485bff52f3036648 1930 libs optional
bouncycastle_1.44+dfsg-2+deb6u1.dsc
ecaafd8fc4a3d8b7f42b2736a47e0a25 19167 libs optional
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
bf4142ee6ce1da524969a1783b3f56d3 1383358 java optional
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
5f826336a118b2e96275908c87b65364 1691634 doc optional
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
f993780e0b13024f1af63181bf99d930 237960 java optional
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
6bf7c899ca9a05e324d801058fc0b0cc 189362 doc optional
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
16088a4e205a3d2e05a8801b91f4797a 69160 java optional
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
5eb138e920710b4dc0ec3658187e1586 30892 doc optional
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
0549ba7feeaef54fdfa2a78a14e2ea0b 186982 java optional
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
5df721192c6fdfe9f7a9285bb1e3c8ab 157068 doc optional
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
c739ce01714b541a32b94b3eaf759b73 2140766 libs optional
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
50c0f49d0bfd3984dba226d25c305662 278498 libs optional
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
d16ee6ef3c98b25994a5530aa36b1ad1 38506 libs optional
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
f52084f6445ca1cb9e7264b204f90970 239292 libs optional
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog
iQEcBAEBCAAGBQJWZrfOAAoJEAOIHavrwpq5ZM8H/i4n/SI/7HQ0CIl31RCly7+d
6BIcmL0BaXciPODY7db16kP/9bsSD8F7qhbLZx2iZOmdm5dBDeS4Rht7xJ4+U05u
8WFl9cMBiWgWx4Qgm/CCSIKcO+yuqblQ/8ieiYl2D2wsaHazrcUdNrKNQ6VCYyMh
/ZGO3Hhlgc4qJQKfRnn0wPo48wdawzJd8nPOO59z8OBgFm6BEGyrXQSwqFj+/u3P
VUc+dePyLGNfKYopf/vcXlmi/nLHAAhevTQHQ8ZyUZwC3XcuzQI0xZJErI40XkU9
uO9zTZ/mORHQ9EUdHwXQ2fcQjkftduWSi+2wgOmkQ8nwSJeLwblU7Vr5MrERbtI=
=DLQi
-----END PGP SIGNATURE-----
--- End Message ---