1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3417-1] bouncycastle security update

    From Luciano Bello@1:229/2 to All on Mon Dec 14 14:00:01 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3417-1 [email protected] https://www.debian.org/security/ Luciano Bello December 14, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : bouncycastle
    CVE ID : CVE-2015-7940
    Debian Bug : 802671

    Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz
    Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library
    for cryptography. An attacker is able to recover private Elliptic Curve
    keys from different applications, for example, TLS servers.

    More information: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html Practical Invalid Curve Attacks on TLS-ECDH: http://euklid.org/pdf/ECC_Invalid_Curve.pdf

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 1.44+dfsg-3.1+deb7u1.

    For the stable distribution (jessie), this problem has been fixed in
    version 1.49+dfsg-3+deb8u1.

    For the unstable distribution (sid), this problem has been fixed in
    version 1.51-2.

    We recommend that you upgrade your bouncycastle packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCAAGBQJWbrnpAAoJEG7C3vaP/jd0sYEP/0oGLjRD26QDcghTOV4kZpmO QQc3rXHiyMylQGUVJ6mHFES+dVwHlWy6VumRlQp2uBB/O+afvM3jEo1Mx9jgrYhR +2hpqc21kh1sIJEi+ZK7MfaGjlg8IVIYXapXi/DdJt0dGGJuji+qN+XWRue5yLgm 08vm4scq8TUohYxpdNnpoWUSJ2/k49aQ60Jz+tz+80UjqDcaxhS7lw1YxqzOHOBs YABdawwUh0mfguQIIfHS+5R6lb/YzzE07ZVdgQVRzNL4z0PMNCUV4uT6xTWpn/Wx kvgiDW+Qpw4mkKIAeKkOuHWoXxHsOQfY7DRXfOnyybv0GTDGV0OKuYKbkxXe8kqh g/msrAfg0EGvHiiFgudlMwvdXpkG+gOqu7YyHbTSSPuD9MFjMJdMQIOeih4+GcPN Yxvvl6x/JKgagJcNco3G6VzXcbcgHBU8WgdN5xASxJcBhzUBmyTaMRmVtuj8vguP EhcBa0a/xzpI6TZqnQc3drznU3sqxcvDI3shPKckLN5lJpUXiKaTOcageILkfxpg NUmZ01YQEI7nYJFjAMflKnqXFcRanTYBHhI7aZxbfueviqx7uTzXLT5oiyf99sIR DA8+7uVPr6O2QXmnOTleAEIpNYs9VibfAtGt3DRkAAeo3ARRM7+yAxXtmN20uBO9 2fAMEkxz0RpnUdEEtKnw
    =P/dD
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)