Your message dated Mon, 14 Dec 2015 22:47:07 +0000 with message-id <e1a8btb-0006mm...@franck.debian.org> and subject line Bug#802671: fixed in bouncycastle 1.49+dfsg-3+deb8u1 has caused the Debian Bug report #802671, regarding CVE-2015-7940: bouncycastle: ECC private keys can be recovered via invalid curve attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 802671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bouncycastle Version: 1.44+dfsg-2 Severity: serious Tags: security Control: fixed -1 1.51-1 Hello, bouncycastle 1.49 in stable/testing/unstable (and 1.44 in wheezy/squeeze) is vulnerable to an invalid curve attack as described here: https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html This is fixed in version 1.51 (in experimental). The upstream patches that fix this issue should be those ones: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a A CVE has been requested here: http://www.openwall.com/lists/oss-security/2015/10/22/7 -- System Information: Debian Release: stretch/sid APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.49+dfsg-3+deb8u1 We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 802...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 13 Dec 2015 22:16:20 +0100 Source: bouncycastle Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc Architecture: source all Version: 1.49+dfsg-3+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta libbcpg-java - Bouncy Castle generators/processors for OpenPGP libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation) libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document libbcprov-java - Bouncy Castle Java Cryptographic Service Provider libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation) Closes: 802671 Changes: bouncycastle (1.49+dfsg-3+deb8u1) jessie-security; urgency=high . * Team upload. * CVE-2015-7940: fix invalid curve attack as described in http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html (Closes: #802671) Checksums-Sha1: c6c378985e7292b1438d5c0c83d1e8da81f66266 2724 bouncycastle_1.49+dfsg-3+deb8u1.dsc e8ae9351b809a04b6da4692ca7e4d84940c66c6f 5877794 bouncycastle_1.49+dfsg.orig.tar.gz 221c1cf4ef0b401d85136a4d1da735004bd936bb 20700 bouncycastle_1.49+dfsg-3+deb8u1.debian.tar.xz d6b6a1f26c32bd2996b4e549e34721b8e2fb5eaf 2001778 libbcprov-java_1.49+dfsg-3+deb8u1_all.deb 919e974743010123206d654307c40a2b3e2283ea 80192 libbcprov-java-doc_1.49+dfsg-3+deb8u1_all.deb 5c9bc2c22bcd73b622ed55c944dafb62438c8f30 115662 libbcmail-java_1.49+dfsg-3+deb8u1_all.deb 5e67f6b347aa984b37c34245330f354f31acf3f2 97124 libbcmail-java-doc_1.49+dfsg-3+deb8u1_all.deb c6fd82ec4ff0a6757c8d62bcc041534dbb14de03 532544 libbcpkix-java_1.49+dfsg-3+deb8u1_all.deb 38cdafd14cae138947b892f621ccafe5c56ea043 324074 libbcpkix-java-doc_1.49+dfsg-3+deb8u1_all.deb b1544f2bf2f6a5997ab2e0f0f1497cfe3f340510 233754 libbcpg-java_1.49+dfsg-3+deb8u1_all.deb 305a241fe1abf9dde0f3ffc724ea765d685a9ce1 34586 libbcpg-java-doc_1.49+dfsg-3+deb8u1_all.deb Checksums-Sha256: 82c120cf34d791f756a44ba9325d772e787df46deacd34062ac2ea2ee19d9e35 2724 bouncycastle_1.49+dfsg-3+deb8u1.dsc 218b70308c49ccc9c6ebf54fde81be68c74204c6a04223e75b6d5acb13266a3f 5877794 bouncycastle_1.49+dfsg.orig.tar.gz 1016041fab314c55fb91c94f32c9bb703c3d373f0d8578177257e48d5ac16145 20700 bouncycastle_1.49+dfsg-3+deb8u1.debian.tar.xz a56bbd4c1fbf13d61353b75f3a86bd4b70278a2beddc52e37ae5659a385cf4df 2001778 libbcprov-java_1.49+dfsg-3+deb8u1_all.deb 82970080ddfb237253a4c570df3be1fd0fcf0039ab0a8a6648713fbe4016b76b 80192 libbcprov-java-doc_1.49+dfsg-3+deb8u1_all.deb fb74dc4893b638b43ba6ecf2718c7f03b4dffa22ea3ef9d489e1cc9912f0d890 115662 libbcmail-java_1.49+dfsg-3+deb8u1_all.deb d96a883798c252bc893abb9dc8b3a66e15268df84f1be75b97f59811c7513f23 97124 libbcmail-java-doc_1.49+dfsg-3+deb8u1_all.deb 4564958179f47e3eb28c93a15f0a57ee6962499764dbe55a172eeba5ab58ba23 532544 libbcpkix-java_1.49+dfsg-3+deb8u1_all.deb 96ab2842f88448dda43b026441d4463d975db03e4462f932362b527993a1c26e 324074 libbcpkix-java-doc_1.49+dfsg-3+deb8u1_all.deb 2bef52b9fd80b19ba4335535398612040e66501060baffcdadb60e855a5203fe 233754 libbcpg-java_1.49+dfsg-3+deb8u1_all.deb 63c15418c640f22ede7b869bbd16a467e88a576f32b6420aeccd1998535f2150 34586 libbcpg-java-doc_1.49+dfsg-3+deb8u1_all.deb Files: 0b8db54882705627c8e030e5f5f7b429 2724 java optional bouncycastle_1.49+dfsg-3+deb8u1.dsc 2d7dcf82cd40101eae351a822c8dc183 5877794 java optional bouncycastle_1.49+dfsg.orig.tar.gz 4abb08e538807f8cf94b9d079e32c262 20700 java optional bouncycastle_1.49+dfsg-3+deb8u1.debian.tar.xz 1bdf26af59299f0243900fd652f203d7 2001778 java optional libbcprov-java_1.49+dfsg-3+deb8u1_all.deb a176e3952bc6beb086ab5ede8a35faac 80192 doc optional libbcprov-java-doc_1.49+dfsg-3+deb8u1_all.deb 8681e5f5ec7874ccf509296aa1f881b6 115662 java optional libbcmail-java_1.49+dfsg-3+deb8u1_all.deb 282ca6bfc62ff970ae6024957aee0886 97124 doc optional libbcmail-java-doc_1.49+dfsg-3+deb8u1_all.deb c15e657d8ed541391148c8488973ccb4 532544 java optional libbcpkix-java_1.49+dfsg-3+deb8u1_all.deb c36901cb72f4e708f24aecdf7804210c 324074 doc optional libbcpkix-java-doc_1.49+dfsg-3+deb8u1_all.deb afb901fff0592566c074742dd1c9e603 233754 java optional libbcpg-java_1.49+dfsg-3+deb8u1_all.deb 2d8ef4b269d4c0fda1e663d31dffdf2c 34586 doc optional libbcpg-java-doc_1.49+dfsg-3+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJWbeIKXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkcbcP/iBScu+syMrRnUyt/V6Y0Cts s1V5UARtk8uLsOkBfX7esbGXUZjyCb7if7XplsVoQbANxc6sLkwcwVGuDozKQHHy 45J+NO8Kr+R5XuceKV2nLTRHEjk2bv/XF18f+e9JjkfJ0I36OzuKoGk8h8AfDKp9 xhba85x4SAmyBYIDx2zAh3Xl+Tbm1j6x7E8a4nkQ/klPiE95gdVi9mYjRawuWJEu pTw0WXA+oY+QBLEmziljzFOdbN4TfmNXMVA+iRv4ZX9HUUDLxvWO1ZPkrQ8K3MHK BetNUpBrHoKNLq4553nIf1zeFLmXxIKNQ10x5SoRFDBGxLQ8wEfolsHkxrv8XBA9 6V6eas72bZUedEpP+SoBWdN5tXjKXnezYlV+qlplpextXQmeIIE8SLO8nRe2ON3W QwybbIPPtcyFlNmLskiLTjzdvwqxmwj5uthHFTajzjdOULDN32skeWLtbzI/dZdG oIx2ViZlotFoHS9puwOACb4E1vTQHHkzfvuuMwq72z2L9EWE2zN0ZbSl++C1NXQo 1Va3iIxrhMrmGCUMHGQSk7UZDGKt4lXBA6b4o2t/1W/Rxxd0BYST0j9ysz4lXgjV IVJdRtNNdaPmFD2dJa7ubSz0j125TDKQmjFP330zSfhANuXoluLWGi4NTmBHH89a 34VW0NzVJNOPWdDHRjjZ =5D2f -----END PGP SIGNATURE-----
--- End Message ---
