Bug#802671: marked as done (CVE-2015-7940: bouncycastle: ECC private keys can be recovered via invalid curve attack)

Tue, 08 Dec 2015 03:21:46 -0800 

Your message dated Tue, 08 Dec 2015 11:19:28 +0000
with message-id <e1a6giq-0003jh...@franck.debian.org>
and subject line Bug#802671: fixed in bouncycastle 1.44+dfsg-2+deb6u1
has caused the Debian Bug report #802671,
regarding CVE-2015-7940: bouncycastle: ECC private keys can be recovered via 
invalid curve attack
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
802671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: bouncycastle
Version: 1.44+dfsg-2
Severity: serious
Tags: security
Control: fixed -1 1.51-1

Hello,

bouncycastle 1.49 in stable/testing/unstable (and 1.44 in wheezy/squeeze)
is vulnerable to an invalid curve attack as described here:
https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

This is fixed in version 1.51 (in experimental).

The upstream patches that fix this issue should be those ones:
https://github.com/bcgit/bc-java/commit/5cb2f05
https://github.com/bcgit/bc-java/commit/e25e94a

A CVE has been requested here:
http://www.openwall.com/lists/oss-security/2015/10/22/7

-- System Information:
Debian Release: stretch/sid
  APT prefers squeeze-lts
  APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), 
(500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: bouncycastle
Source-Version: 1.44+dfsg-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 802...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hert...@debian.org> (supplier of updated bouncycastle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Oct 2015 12:05:19 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc 
libbctsp-java libbctsp-java-doc libbcpg-java libbcpg-java-doc 
libbcprov-java-gcj libbcmail-java-gcj libbctsp-java-gcj libbcpg-java-gcj
Architecture: source all amd64
Version: 1.44+dfsg-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hert...@debian.org>
Description: 
 libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
 libbcmail-java-doc - Documentation for libbcmail-java
 libbcmail-java-gcj - Bouncy Castle generators/processors for S/MIME and CMS
 libbcpg-java - Bouncy Castle generators/processors for OpenPGP
 libbcpg-java-doc - Documentation for libbcpg-java
 libbcpg-java-gcj - Bouncy Castle generators/processors for OpenPGP
 libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
 libbcprov-java-doc - Documentation for libbcprov-java
 libbcprov-java-gcj - Bouncy Castle Java Cryptographic Service Provider
 libbctsp-java - Bouncy Castle generators/processors for TSP
 libbctsp-java-doc - Documentation for libbctsp-java
 libbctsp-java-gcj - Bouncy Castle generators/processors for TSP
Closes: 802671
Changes: 
 bouncycastle (1.44+dfsg-2+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS team.
   * CVE-2015-7940: fix invalid curve attack as described in
     
http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
     Closes: #802671
   * Add ant-optional to Build-Depends to be able to run the test suite during
     build.
Checksums-Sha1: 
 61faa349babb7fcdb768fa6bf7c583015911cd32 1930 
bouncycastle_1.44+dfsg-2+deb6u1.dsc
 78cde78db9930fd1a84f50c21a654af4accb008f 19167 
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
 5a7e3aaee20a5f67cbfac34f9d4cd4cf14ddd0ed 1383358 
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
 8e70a0e8b3b729f7241d118be929c5a81f627058 1691634 
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
 531b27c880e071294a348c25a2f5d417366c06bf 237960 
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
 df70ba2e33a1466a2d2993db7cc89a9aae961368 189362 
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
 c106b8f045f36c575d496aecedf5c53b4f0841d7 69160 
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
 a5191e72b6992502fb80c2ec886c3dd9a2c58369 30892 
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
 a256a5c08450b5ee8071e4eb3f6cc84b2c670978 186982 
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
 1be6f56081f2ae0f88bb325d40ab7d50079cb876 157068 
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
 c2e2d670c3ef7bc4092c075826480c8584b0c8d6 2140766 
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 3f9d5de9aa6b0dc375b364e88d3680168309b009 278498 
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 00849b4a0ec74e2f36e49ef60ec2a42d12f2e4a7 38506 
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 4b04465b2afb045c9900ef172552c0e1c74f0c88 239292 
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
Checksums-Sha256: 
 429048e95c5ce48f99771391ece1618c0bbf5ad223f72c1580aee0032e18adc2 1930 
bouncycastle_1.44+dfsg-2+deb6u1.dsc
 53111f669aea3b5470649e1bcf2cc72ebd21d2e57d420a634b1df503978e63be 19167 
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
 f6a22ab9bfc71eeae51f67db60e279fe36dc74c8783b0e7677060874152e651b 1383358 
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
 051e589be0fd384016e47b20e8f5adb6fbed7e2c0b414e983e8ee285690b772d 1691634 
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
 91c5680cc9a8f6b16385d7a1696fdbb538801b2585bd8f8e5f6e4362f8b7d032 237960 
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
 cd649d1e84c1e60b601e4c5484a9d0ba9b203d3f206f8f339dd76f44aefe5a72 189362 
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
 3d5ad4d4e21382fd5113de79485fa546d109e217c3e488debbdced421c99ff89 69160 
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
 9e848ad5c814483f0cd29f5f0317e73d2c3f19f0d4c0edefac2bd7d3cf7b348c 30892 
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
 57fc1fec42bfa84736d8babb98c2ba4146ec57edd42b9ec20302226e4183f151 186982 
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
 2b0d8f6a71830cda7a5a3787414c42123cc1f9875245fe46755afbda0da2ec34 157068 
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
 e5feef0372d8cadb1d65556b43a288ce14bea9798b573158c1ccca674cea569e 2140766 
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 ada6428f0ecdd4b2819d86fa26f0842488459e2807b430bba0245e29621090f3 278498 
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 0eb5ecef9243e69894c821eebfff5c21101cb84f5e7dd8c06d8b8e9116f637e4 38506 
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 5aff6931318c540c37ed89be0905dfaabd5f67d836863c7401a53eb611cd038e 239292 
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
Files: 
 57b4ab92db9e09eb485bff52f3036648 1930 libs optional 
bouncycastle_1.44+dfsg-2+deb6u1.dsc
 ecaafd8fc4a3d8b7f42b2736a47e0a25 19167 libs optional 
bouncycastle_1.44+dfsg-2+deb6u1.diff.gz
 bf4142ee6ce1da524969a1783b3f56d3 1383358 java optional 
libbcprov-java_1.44+dfsg-2+deb6u1_all.deb
 5f826336a118b2e96275908c87b65364 1691634 doc optional 
libbcprov-java-doc_1.44+dfsg-2+deb6u1_all.deb
 f993780e0b13024f1af63181bf99d930 237960 java optional 
libbcmail-java_1.44+dfsg-2+deb6u1_all.deb
 6bf7c899ca9a05e324d801058fc0b0cc 189362 doc optional 
libbcmail-java-doc_1.44+dfsg-2+deb6u1_all.deb
 16088a4e205a3d2e05a8801b91f4797a 69160 java optional 
libbctsp-java_1.44+dfsg-2+deb6u1_all.deb
 5eb138e920710b4dc0ec3658187e1586 30892 doc optional 
libbctsp-java-doc_1.44+dfsg-2+deb6u1_all.deb
 0549ba7feeaef54fdfa2a78a14e2ea0b 186982 java optional 
libbcpg-java_1.44+dfsg-2+deb6u1_all.deb
 5df721192c6fdfe9f7a9285bb1e3c8ab 157068 doc optional 
libbcpg-java-doc_1.44+dfsg-2+deb6u1_all.deb
 c739ce01714b541a32b94b3eaf759b73 2140766 libs optional 
libbcprov-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 50c0f49d0bfd3984dba226d25c305662 278498 libs optional 
libbcmail-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 d16ee6ef3c98b25994a5530aa36b1ad1 38506 libs optional 
libbctsp-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb
 f52084f6445ca1cb9e7264b204f90970 239292 libs optional 
libbcpg-java-gcj_1.44+dfsg-2+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog

iQEcBAEBCAAGBQJWZrfOAAoJEAOIHavrwpq5ZM8H/i4n/SI/7HQ0CIl31RCly7+d
6BIcmL0BaXciPODY7db16kP/9bsSD8F7qhbLZx2iZOmdm5dBDeS4Rht7xJ4+U05u
8WFl9cMBiWgWx4Qgm/CCSIKcO+yuqblQ/8ieiYl2D2wsaHazrcUdNrKNQ6VCYyMh
/ZGO3Hhlgc4qJQKfRnn0wPo48wdawzJd8nPOO59z8OBgFm6BEGyrXQSwqFj+/u3P
VUc+dePyLGNfKYopf/vcXlmi/nLHAAhevTQHQ8ZyUZwC3XcuzQI0xZJErI40XkU9
uO9zTZ/mORHQ9EUdHwXQ2fcQjkftduWSi+2wgOmkQ8nwSJeLwblU7Vr5MrERbtI=
=DLQi
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to