Thank you for the report Moritz.
According to the Bugzilla report the issue happens when BCrypt.gensalt()
is called with the value 31. jenkins is the only package using this
library and it calls this method with no parameter [1], the default
value being 10 [2].
So I don't think this issue is
Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097
Cheers,
Moritz
2 matches
Mail list logo
