Hi all, I saw that the CVE for this vulnerability was mentioned in the latest critical patch update advisory as fixed:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html And is now also public: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2894 However, the only change related to ECDSA I saw in the OpenJDK tree is this: https://hg.openjdk.java.net/jdk/jdk/rev/d66bdf0e2dfe 8228825: Enhance ECDSA operations Reviewed-by: mullan Author: ascarpino It basically disables support for binary field curves in the Java TLS/SSL server. However, this does not fix the vulnerability: - Any user of the SunEC library through JCA remains vulnerable. - Any user of the Java TLS/SSL server that sets up the server to allow and use binary field curves (through "jdk.tls.namedGroups" for example) remains vulnerable. A proper patch for this issue was posted earlier, with analysis of correctness and passing tests. Cheers, Jan
signature.asc
Description: OpenPGP digital signature
