Your message dated Tue, 22 Dec 2015 21:48:07 +0000 with message-id <e1abumt-0005ww...@franck.debian.org> and subject line Bug#802671: fixed in bouncycastle 1.44+dfsg-3.1+deb7u1 has caused the Debian Bug report #802671, regarding CVE-2015-7940: bouncycastle: ECC private keys can be recovered via invalid curve attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 802671: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bouncycastle Version: 1.44+dfsg-2 Severity: serious Tags: security Control: fixed -1 1.51-1 Hello, bouncycastle 1.49 in stable/testing/unstable (and 1.44 in wheezy/squeeze) is vulnerable to an invalid curve attack as described here: https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html This is fixed in version 1.51 (in experimental). The upstream patches that fix this issue should be those ones: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a A CVE has been requested here: http://www.openwall.com/lists/oss-security/2015/10/22/7 -- System Information: Debian Release: stretch/sid APT prefers squeeze-lts APT policy: (500, 'squeeze-lts'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.44+dfsg-3.1+deb7u1 We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 802...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 13 Dec 2015 22:38:29 +0100 Source: bouncycastle Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbctsp-java libbctsp-java-doc libbcpg-java libbcpg-java-doc libbcprov-java-gcj libbcmail-java-gcj libbctsp-java-gcj libbcpg-java-gcj Architecture: source all amd64 Version: 1.44+dfsg-3.1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Documentation for libbcmail-java libbcmail-java-gcj - Bouncy Castle generators/processors for S/MIME and CMS libbcpg-java - Bouncy Castle generators/processors for OpenPGP libbcpg-java-doc - Documentation for libbcpg-java libbcpg-java-gcj - Bouncy Castle generators/processors for OpenPGP libbcprov-java - Bouncy Castle Java Cryptographic Service Provider libbcprov-java-doc - Documentation for libbcprov-java libbcprov-java-gcj - Bouncy Castle Java Cryptographic Service Provider libbctsp-java - Bouncy Castle generators/processors for TSP libbctsp-java-doc - Documentation for libbctsp-java libbctsp-java-gcj - Bouncy Castle generators/processors for TSP Closes: 802671 Changes: bouncycastle (1.44+dfsg-3.1+deb7u1) wheezy-security; urgency=high . * Team upload. * CVE-2015-7940: fix invalid curve attack as described in http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html Thanks to Peter Dettman and Raphaƫl Hertzog for the patches. (Closes: #802671) Checksums-Sha1: e79f736221ab1d59819b297dd183e2eabfa180ae 2854 bouncycastle_1.44+dfsg-3.1+deb7u1.dsc 30eaf679aee8204698531a75ffe40ca65b61a91f 5549674 bouncycastle_1.44+dfsg.orig.tar.gz cfcc5422b8f47bcd6a9eaf005d8e1ae6612e7c54 19861 bouncycastle_1.44+dfsg-3.1+deb7u1.diff.gz 55e2749a89ab96316dac600e71544397c21d19ba 1384956 libbcprov-java_1.44+dfsg-3.1+deb7u1_all.deb 3f084b6e3e2759e77a0eb84fc70747fb09a19f10 1722454 libbcprov-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 740f9ae278c2ce4d8f2134aff0d9246d0da66e38 239396 libbcmail-java_1.44+dfsg-3.1+deb7u1_all.deb e2265dbf817d9f1f6d68c8027c2a18e35347c766 189042 libbcmail-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 5d5b41e71cab68c976e4d40bdfbbad1d2903cd3d 70602 libbctsp-java_1.44+dfsg-3.1+deb7u1_all.deb 694616b26a0006af5c7b98520303f769077f9d82 29810 libbctsp-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 548f8d1f1b086d16f925e2921a22e2ee90b761b8 188412 libbcpg-java_1.44+dfsg-3.1+deb7u1_all.deb e349fa281c9cee9e52b2000b0a36704fb283f620 157002 libbcpg-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 40a6a17325d3cd3a0ceb622501220a53de429419 2088082 libbcprov-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb bc5525e0dd31cfcec0fd9d3bd993597ab951a11c 279688 libbcmail-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb 11388f8799d0db574191e0ce777d947b119e4ca2 38820 libbctsp-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb 0fc4eaed207ab2b9da74aff839d9d685556b6f28 240146 libbcpg-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb Checksums-Sha256: 22677ecbf79a9510b16ff88109ec528b518acb90520ceb582b7562a105f93415 2854 bouncycastle_1.44+dfsg-3.1+deb7u1.dsc 19f63b56c6d3d7916e0d001ded7bc7ece2c9e6ca0a678ba885f73dbc50a10180 5549674 bouncycastle_1.44+dfsg.orig.tar.gz 723042042d9aab9f65ab35ef28f56d9cb99dbc5d5723a2c69a2053f03f57c13a 19861 bouncycastle_1.44+dfsg-3.1+deb7u1.diff.gz 833346c4ef847660a19f56b854c675c26b1bdbacff4cd1f5d3e7e9bd4da82da2 1384956 libbcprov-java_1.44+dfsg-3.1+deb7u1_all.deb ec155f46e7d57c881db9e34145b48d19ec01942cb594010d0def11d071147ad0 1722454 libbcprov-java-doc_1.44+dfsg-3.1+deb7u1_all.deb d88d4d4a5d1b743e3108f3d0fea72c8f77eb694cd1b68afcae8e93134f2eedd8 239396 libbcmail-java_1.44+dfsg-3.1+deb7u1_all.deb 0ff97c47a8b80f3a616fff0a7d51ec466a6edb600471d2705dac554aeb4408cd 189042 libbcmail-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 0980cc6e28d0a335fa816b9801be42cb026bf70b4eadb068d69a8b2e64f08ca3 70602 libbctsp-java_1.44+dfsg-3.1+deb7u1_all.deb 3e2dcf9ff1dd4063602f43b26d57dabd7ad6b4db4b436fdc4416ff2d81d506e3 29810 libbctsp-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 28781528cb60ed8b3abd2caf2ed0444bfa40344378f44670a8db3997e900b244 188412 libbcpg-java_1.44+dfsg-3.1+deb7u1_all.deb 9676003dc96fabb59c3021628f4627a4622abee74b7d3263be96c9bcccbd065e 157002 libbcpg-java-doc_1.44+dfsg-3.1+deb7u1_all.deb a708c42b06c1fc0f930fe5d16869b5eb272fe04d777986d7cc862c59f52e4a1d 2088082 libbcprov-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb ab23b7b083a1b96f8becb003897b9fcdd9a6fc167a967192bf69d6a99bab2777 279688 libbcmail-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb 7e956acd46fa5e074dcafceef4c1751e2bf4dd48433d61fc7acb5e216d8fa48c 38820 libbctsp-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb 07b1bed72d0ca7dd8cdda33b91d476f6b2ea388738f30d973f756fd3fa486ff2 240146 libbcpg-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb Files: 23155d74bf1413f85b0ef191d425ee37 2854 java optional bouncycastle_1.44+dfsg-3.1+deb7u1.dsc 261c4fb72f2eae792616d5931b559904 5549674 java optional bouncycastle_1.44+dfsg.orig.tar.gz 8d5192c187c92acd85515f32581dcd78 19861 java optional bouncycastle_1.44+dfsg-3.1+deb7u1.diff.gz 140a77b5754d8d8792e23c450e40c6b6 1384956 java optional libbcprov-java_1.44+dfsg-3.1+deb7u1_all.deb f99defabe2b48c0c5f76c299aa846ac9 1722454 doc optional libbcprov-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 40760714b311a79c4da6293f3405ca33 239396 java optional libbcmail-java_1.44+dfsg-3.1+deb7u1_all.deb 0e800a5ffce8edf5a4282017ec8d808d 189042 doc optional libbcmail-java-doc_1.44+dfsg-3.1+deb7u1_all.deb 91e6b9a5f7de76133189a739ff23e2b4 70602 java optional libbctsp-java_1.44+dfsg-3.1+deb7u1_all.deb 915a741d4e7e3b57b2ccfaf16efd0475 29810 doc optional libbctsp-java-doc_1.44+dfsg-3.1+deb7u1_all.deb b25cb940c570672ea2704d50dea6bb74 188412 java optional libbcpg-java_1.44+dfsg-3.1+deb7u1_all.deb 52218855baa06aa157a4f7fa51cc971d 157002 doc optional libbcpg-java-doc_1.44+dfsg-3.1+deb7u1_all.deb d30c3437f8f593276c2a93b81cf3b55f 2088082 java optional libbcprov-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb d3e6faf56540350304666d2e844050e0 279688 java optional libbcmail-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb 56144c3053ac2aeb727ccd4ad591e625 38820 java optional libbctsp-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb e786bd845ab8e2a873349c563b47eef6 240146 java optional libbcpg-java-gcj_1.44+dfsg-3.1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJWbekIXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk5g8P/0MbyVHQ13AOd9SKBGSFJyCA uFwbfxehNd7/HkpdR+/mnxqk2P2Q06WFtt5kSjzAc92+q1vAk9HM54GTegjrx4ol RMTSF0Zn7mPROgiUSywSnm4uHdoaTcYFUMnTv/Kck2/eGoPsh9tzSYKcKhHDl4/z iP98Phjlg2HPk5BIOIVYijO+zwBfQmK2AWEj/QDCV5sx296Eo/AnCZ2P6BCE+Xw6 FJ7bRPfC4ZI6EQd8Geo8hx4ZQhNNWIO1bgkxCDDPYqrQ793USE7bbSx9HiFOSgnN SB7VdxXRXcCr3dj8BSvr29BNFd0z6ZJpdDVNRC1u4nAZyJMY5G9GYCT/Wh/6brcR O+7tUkbHtLGFe4b8ATGcD5X+6BQLP6khtgHks1WinzBywkAbztPDUO6YfSO+0NVC tRuTf4NNIPv4PBfjbwpw0o1Ph/qw/wrQFdR8GmKS0UCdRXL+IaCFi4RKRSoItEag AmNeHjLa1NmnBz1OHvTn/BXtjRtwNzbiBEj68rTEikM7i7xKvKEzkY1jXH+FrYFD QEPxgktt338dulH5Ap4F+BlULZRmo/z6DMlhpFjl2qerW49FLgkXMQ1GylOhJiEU wbVhfl+j64ftziTcL6xjEU8Ll0Uv1dStiX5sMqrkU6pOlbwAKLukkdgixaVnxJNc lAsD8dygmUPLgQ3dMEKP =sKig -----END PGP SIGNATURE-----
--- End Message ---
