Your message dated Sat, 06 Apr 2013 01:00:07 +0000 with message-id <e1uohuf-0006hu...@franck.debian.org> and subject line Bug#699885: fixed in bouncycastle 1.48+dfsg-1 has caused the Debian Bug report #699885, regarding TLS timing attack in bouncycastle (Lucky 13) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 699885: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699885 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: bouncycastle Severity: serious Tags: security Hi, Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ In the advisory, the following information is present about bouncycastle: "a patch will be included in version 1.48 of the Java library, to be released on or about 05/02/2013. The C# version of BouncyCastle will be fixed in CVS at a similar time, and included in release 1.8 at a later date." The generic protocol issue has been assigned CVE name CVE-2013-0169. The specific fix for bouncycastle is known as CVE-2013-1624. Please mention these identifiers in the changelog. Can you see to it that this issue is addressed in unstable and testing? And are you available to create an update for stable-security? Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.48+dfsg-1 We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 699...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 29 Mar 2013 12:52:23 +0100 Source: bouncycastle Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc libbcprov-java-gcj libbcmail-java-gcj libbcpkix-java-gcj libbcpg-java-gcj Architecture: source all amd64 Version: 1.48+dfsg-1 Distribution: experimental Urgency: low Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Documentation for libbcmail-java libbcmail-java-gcj - Bouncy Castle generators/processors for S/MIME and CMS libbcpg-java - Bouncy Castle generators/processors for OpenPGP libbcpg-java-doc - Documentation for libbcpg-java libbcpg-java-gcj - Bouncy Castle generators/processors for OpenPGP libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, libbcpkix-java-doc - Documentation for libbcpkix-java libbcpkix-java-gcj - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, libbcprov-java - Bouncy Castle Java Cryptographic Service Provider libbcprov-java-doc - Documentation for libbcprov-java libbcprov-java-gcj - Bouncy Castle Java Cryptographic Service Provider Closes: 675819 699885 701698 Changes: bouncycastle (1.48+dfsg-1) experimental; urgency=low . * Team upload. * New upstream release (Closes: #701698) - Fixes the Lucky 13 attack on CBC-mode encryption in TLS CVE-2013-0169, CVE-2013-1624 (Closes: #699885) * Added the bcpkix packages (Closes: #675819) * Removed the bctsp packages (the TSP API is now included in bcpkix) * Updated Standards-Version to 3.9.4: no changes needed. * Removed the DMUA flag * Refreshed the patches * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package Checksums-Sha1: 36f3c3b813d2dd3ff40d92b7c6a6aaa5ea2fa10d 2759 bouncycastle_1.48+dfsg-1.dsc 2a6da5d7c093ad94548a2ca173e6f7503a29a5c9 9686374 bouncycastle_1.48+dfsg.orig.tar.gz 35c7e056236a7a7012530b9016b41e39c352d311 9692 bouncycastle_1.48+dfsg-1.debian.tar.gz eb362d36b325259f7f504c1a80f12fd10bf36350 1925518 libbcprov-java_1.48+dfsg-1_all.deb 7271298889523ceabbfa5da1523c601c7f3df6ac 2000700 libbcprov-java-doc_1.48+dfsg-1_all.deb 6ac0918459649c893ad6f3d029b20c3dbdef21bb 138208 libbcmail-java_1.48+dfsg-1_all.deb c5d4fd7439435ba514a6cabbd6bfca275428a49d 84598 libbcmail-java-doc_1.48+dfsg-1_all.deb 6b8606dd7d9f7880c482d83cf9b21ecccb5bf993 528640 libbcpkix-java_1.48+dfsg-1_all.deb cf8cc3cbce75a82cadb564d34a464862ea887a3d 463402 libbcpkix-java-doc_1.48+dfsg-1_all.deb f1572a5786006cb220d0232aeb6e78b4c5cd24ed 256846 libbcpg-java_1.48+dfsg-1_all.deb 18ec776a549fd30790c1f7e5967a0ab845b120a7 214718 libbcpg-java-doc_1.48+dfsg-1_all.deb accf2f7fcf932338b06273aec0b68f9336063fe9 2961492 libbcprov-java-gcj_1.48+dfsg-1_amd64.deb 0430698fdac7198f586161bbc6b041b0842d4360 122312 libbcmail-java-gcj_1.48+dfsg-1_amd64.deb 1ba3703c0354a707e8ac512d84d51403bdfdebde 657580 libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb 67f3941bb175d29774840eb0fad7aca248e21253 315822 libbcpg-java-gcj_1.48+dfsg-1_amd64.deb Checksums-Sha256: 48f335cfe3a057032078d9984a6aeccdc1f1b9e723800ae768ddffb432a9b812 2759 bouncycastle_1.48+dfsg-1.dsc f98bde58148c894ec7025b1794b28dc9f745633e4b41760f975552cf13248b47 9686374 bouncycastle_1.48+dfsg.orig.tar.gz 3cbc822ee715e80208719788a5061747972ad80e411c63030558b3b0a568bb27 9692 bouncycastle_1.48+dfsg-1.debian.tar.gz 646da2b4613b4c0504c7b4e01d54d9347ac101ebc6d17a1fe06eece9341c86af 1925518 libbcprov-java_1.48+dfsg-1_all.deb eef78da0252c89939d72413438615e06ad7118732c949feddbcbec337192ccf5 2000700 libbcprov-java-doc_1.48+dfsg-1_all.deb 4b29ccefed1a49eff6c8e2a5228f2d5df8a7c27300ffd656dfe7e9409d8ab547 138208 libbcmail-java_1.48+dfsg-1_all.deb 79df81fe7a1065df2f2c1f835a001fbcdbd3e64728f47971b6a586496045ad44 84598 libbcmail-java-doc_1.48+dfsg-1_all.deb 42a235558a10e7eb1cc6760dd23d290a9cda10a2f674445f481277c0ecafc334 528640 libbcpkix-java_1.48+dfsg-1_all.deb b64318093fa5683be0f5d1e68f6ba8c280fa43ec305b093991e3d87576822372 463402 libbcpkix-java-doc_1.48+dfsg-1_all.deb ce999d7f0d441eebe56a32e38b37a67538383ae040e7ea28ef7df5c42316921e 256846 libbcpg-java_1.48+dfsg-1_all.deb ac1e497749bfe6eb0d66747445ee645d24d4fade8191d9e5093d462180b54cbc 214718 libbcpg-java-doc_1.48+dfsg-1_all.deb b06003966ff8026e84f814296b731fd8913ce5bfb8f6f9bb2c16913ab9c0b1c4 2961492 libbcprov-java-gcj_1.48+dfsg-1_amd64.deb ff2f08de6f9d3b962fae949be3b439476fb0661161363b5ec353d63e06bc7942 122312 libbcmail-java-gcj_1.48+dfsg-1_amd64.deb b15a01156fa4b9bcb3ebeff7e8ab09bb29619b89fda2d1f979f7eb847813ab57 657580 libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb 130ebd8feb6a6864b1223752b5bcb3ed1e2fa73846b3fe10c5567de3ce796230 315822 libbcpg-java-gcj_1.48+dfsg-1_amd64.deb Files: 8b4ead0939e3816cdc2ae6d3ffb78098 2759 java optional bouncycastle_1.48+dfsg-1.dsc ba1d247b3bd96de883257c255109edc7 9686374 java optional bouncycastle_1.48+dfsg.orig.tar.gz 08123849e913930a05f035ef00f59c08 9692 java optional bouncycastle_1.48+dfsg-1.debian.tar.gz 1d848f2795da3547bba51d400838f64b 1925518 java optional libbcprov-java_1.48+dfsg-1_all.deb 364648137ca5bcb3b4630d06cd089cf8 2000700 doc optional libbcprov-java-doc_1.48+dfsg-1_all.deb 2dad0f109358718e054197e35e8d3c37 138208 java optional libbcmail-java_1.48+dfsg-1_all.deb 186d77c89041f2654046b8cd4004bd6c 84598 doc optional libbcmail-java-doc_1.48+dfsg-1_all.deb ae805d3193349de56a920548b48d17f9 528640 java optional libbcpkix-java_1.48+dfsg-1_all.deb de2e6d61d56a0eaf05041d17a64ac3ed 463402 doc optional libbcpkix-java-doc_1.48+dfsg-1_all.deb eea470fcc4080a4ab30fbfe628720b56 256846 java optional libbcpg-java_1.48+dfsg-1_all.deb 17f97392e5d8ce9ee4b4bceb102dee2a 214718 doc optional libbcpg-java-doc_1.48+dfsg-1_all.deb edc482f58a83d94307c60f233db02105 2961492 java optional libbcprov-java-gcj_1.48+dfsg-1_amd64.deb 3543dfb20ff2881c0bd6da03308f3446 122312 java optional libbcmail-java-gcj_1.48+dfsg-1_amd64.deb b509d4c2e11aa338982bce72d1d46429 657580 java optional libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb 553e44dabf8fb85aa8a3b628647862d4 315822 java optional libbcpg-java-gcj_1.48+dfsg-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJRXQTQAAoJECHSBYmXSz6WucoP/RDYGVcTZWntW5TYcDyz72IC pDPIyqGg0OUQCGLKX+pgYIFKDYRG7LhnLrZw5rMU5RxUTayjv15vKmeBdxoX1ZwQ U8VYBWd20n+H7oWXFacPuQIqiUGTpHcTbY7ExIo9hr4nF9GVq8mzxSDywesm13cv /Oq4iE9syw0yhNWVJ4apwhxQGIstcwPyYD/mOnktuFHxOoy75TeG59kbvSF3qkB3 tx1EoUQYStSqNFKoOHO00kfDtoAlRhC6/stU8UGA0VNTT0r82Pyw+VxI9KUZLw4E 8tnaeNRTYIUz5wdmSE7ugx/S7Xod8qrVSBSrQBmeJsVaEliHgJO6gNh5rF5LELAD Yulwr1D06qVdIo4CqWwE17o9bPDuN03Z9vSKPjoSD6kAWztkh8qLWjD1nu9acaNs dpVuNwSGQW6mhKJUij2bSm73Eb7RPGXG5ynuMZ4RbwDEJvzaL5g39vpzosLS4Ehq 1UYmFHhcuhoKRSdJjaCRF514rtcATr5nGo03viYsCjCbF2CWvfC/L8843hJBiZVi WzYofavDZiOgx1o3yP8h0mEOHLAjX+Y+DKEzGIyJxKWzwiZ7ZMZEo7xVUEUa6LSW Ll6bvYUcMZD3CjB8/uodIoEJ94Q9ztlVTZcxzbFoKVc2EbfiRlbecw/UCA4hJTFd uQTmW+pD2qTLxXWNkp1x =8EW6 -----END PGP SIGNATURE-----
--- End Message ---