Package: bouncycastle Severity: serious Tags: security Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ In the advisory, the following information is present about bouncycastle: "a patch will be included in version 1.48 of the Java library, to be released on or about 05/02/2013. The C# version of BouncyCastle will be fixed in CVS at a similar time, and included in release 1.8 at a later date." The generic protocol issue has been assigned CVE name CVE-2013-0169. The specific fix for bouncycastle is known as CVE-2013-1624. Please mention these identifiers in the changelog. Can you see to it that this issue is addressed in unstable and testing? And are you available to create an update for stable-security? Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
