Your message dated Thu, 30 Nov 2023 21:50:00 +0000 with message-id <e1r8ov2-009bp6...@fasolo.debian.org> and subject line Bug#1056754: fixed in bouncycastle 1.77-1 has caused the Debian Bug report #1056754, regarding bouncycastle: CVE-2023-33202 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1056754: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056754 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bouncycastle Version: 1.72-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for bouncycastle. CVE-2023-33202[0]: | Bouncy Castle for Java before 1.73 contains a potential Denial of | Service (DoS) issue within the Bouncy Castle | org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL | PEM encoded streams containing X.509 certificates, PKCS8 encoded | keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data | through the PEMParser causes an OutOfMemoryError, which can enable a | denial of service attack. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-33202 https://www.cve.org/CVERecord?id=CVE-2023-33202 [1] https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.77-1 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1056...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 30 Nov 2023 13:08:45 +0100 Source: bouncycastle Architecture: source Version: 1.77-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1040050 1049356 1056754 Changes: bouncycastle (1.77-1) unstable; urgency=medium . * Team upload. * New upstream version 1.77. (Closes: #1049356) - Fix CVE-2023-33201: potential blind LDAP injection attack. (Closes: #1040050) - Fix CVE-2023-33202: potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. (Closes: #1056754) * Update poms to version 1.77. * Drop bouncycastle-1.72.3.patch. Fixed upstream. * Remove backward-compatibility.patch. It is time to fix those issues properly in our reverse-dependencies. * Refresh the remaining patches. Checksums-Sha1: 59e2b9c807d558c95645e878f8cd68d2ee0b9d75 2587 bouncycastle_1.77-1.dsc 55d8dbbc7dce0042aa5f6daaafc6f32290a0c135 7282456 bouncycastle_1.77.orig.tar.xz 823ff61d26565df4be019a7b62578200bcb59981 10444 bouncycastle_1.77-1.debian.tar.xz 46caf15c219e513a6bdb340c211053fb05facf1d 14061 bouncycastle_1.77-1_amd64.buildinfo Checksums-Sha256: 018acb7d4b3e800d8dc1ba0eb174b8657ed6700cc7cb30eeee9e00552edc3b61 2587 bouncycastle_1.77-1.dsc a78f0ef4370802780dba59cae64fcd021ef49936d863580059cbf1fd7a3c96eb 7282456 bouncycastle_1.77.orig.tar.xz 4db3b9871d98a01a234ae000a50a290e14c8362af18080aa8b093c071b16914a 10444 bouncycastle_1.77-1.debian.tar.xz eb97902f28c5827b3092585b821009a89c453c00e938087ecca174d073a90214 14061 bouncycastle_1.77-1_amd64.buildinfo Files: 97931d3f3be192d3be97a1f2d2ed00b7 2587 java optional bouncycastle_1.77-1.dsc d37418e5e4e0479d263424541b927e8a 7282456 java optional bouncycastle_1.77.orig.tar.xz ef7db0eb7ae399fa85f1eb31aae2f86b 10444 java optional bouncycastle_1.77-1.debian.tar.xz fbc09a40b1ca3549268ed7c2c197acb7 14061 java optional bouncycastle_1.77-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVo/aRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkVs4QAJKoeb+oPFZNKh3eVm6zKQ2XwestBiiSlhiC qz/ZqwJ88Drz3qAOqT6usNTMiT+ogo1W0v/SR2Kx0YoIgnCQqYDvL1TDWOff7OkL fzRDsnoXq8b/I89DzWnPKBN3T1llXdzSOWPvR5ztuI7CR84+6tuuuww1ajLdGYQw VQcDabKQeEPU/m9cWRvzTk8IR0vs8BBnfJ+BhMvORXEfIoLikDBpD6AaH2j2sbzS XjvlgnUbnVecbyYcQWrx9fPb7ONfR4J+vNS1NhMSi770ucqtMc86WkbS6YNEL/+B JnlQa5mG+zAMVSyZq4hHDXKWmIdpeHtIfKAjB8bkiLynmT7MWx6WkzDi/KVDs+G4 c/U3IPbuNTpoyD6w8Dkk75JxJf7+FwWx7210ofyWiUGOuhOrthpWdSnifs82NvzC AQ00bJ8C1xZbrvCL1z3C7wwU7SCVUnJ2sXtsQvEZ8GLwcKLJnNtjdUqItlyAunoz YMNAiSpCsTK6ZeiDj5sLTTcX1v36xfzIa0iiIJKrjo3Kg9wFdtVq9wGiC6+i4uvQ uNjsroj3Ox6X8SChk2HsvVkTkZB+PCOUD+jo2pagoRSVp3eeEH/Z5au++/QwSNeE XPkgvvjD7a75jqrSvc/JC7DbYBtKFUEFRyKioAvOMa5Fb1ZcHtbUzNzo23XprLMp kYNDCKhI =Sn2f -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
