Your message dated Tue, 12 Jun 2018 21:19:31 +0000 with message-id <e1fsqhp-0001fj...@fasolo.debian.org> and subject line Bug#900843: fixed in bouncycastle 1.59-2 has caused the Debian Bug report #900843, regarding bouncycastle: CVE-2018-1000180 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 900843: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900843 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bouncycastle Version: 1.54-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://www.bouncycastle.org/jira/browse/BJA-694 Hi, The following vulnerability was published for bouncycastle. CVE-2018-1000180[0]: | Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier | have a flaw in the Low-level interface to RSA key pair generator, | specifically RSA Key Pairs generated in low-level API with added | certainty may have less M-R tests than expected. This appears to be | fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1000180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180 [1] https://www.bouncycastle.org/jira/browse/BJA-694 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: bouncycastle Source-Version: 1.59-2 We believe that the bug you reported is fixed in the latest version of bouncycastle, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 900...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 12 Jun 2018 22:38:03 +0200 Source: bouncycastle Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc Architecture: source Version: 1.59-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta libbcpg-java - Bouncy Castle generators/processors for OpenPGP libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation) libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document libbcprov-java - Bouncy Castle Java Cryptographic Service Provider libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation) Closes: 900843 Changes: bouncycastle (1.59-2) unstable; urgency=high . * Team upload. * Fix CVE-2018-1000180. Thanks to Salvatore Bonaccorso for the report. (Closes: #900843) * Declare compliance with Debian Policy 4.1.4. Checksums-Sha1: 8479b54fad0a1916d37f5b8ed952853234841beb 2689 bouncycastle_1.59-2.dsc 928453e2f446dac242b23edf2cd5c9cf1a20389d 10916 bouncycastle_1.59-2.debian.tar.xz 9be9f1a5aab757fe6a58c2fba657618a635fea71 13517 bouncycastle_1.59-2_amd64.buildinfo Checksums-Sha256: b0af99556e6d342bae59a1005e3fd870af15bc3d597c85e24df813a179084c44 2689 bouncycastle_1.59-2.dsc 22e3958b04ffba849634487a6ee31e86e60ab68e38c24070164d2f024c1b6597 10916 bouncycastle_1.59-2.debian.tar.xz 69811561c4c1521bddd726643c491098768fd89590ae425b335f95573d63b336 13517 bouncycastle_1.59-2_amd64.buildinfo Files: e1980be2e327015622f0b17fc915a79f 2689 java optional bouncycastle_1.59-2.dsc bf181d023e6f46b63bc488cf79ff00bb 10916 java optional bouncycastle_1.59-2.debian.tar.xz 906cfe0313b8f226d2056bbee2d3802c 13517 java optional bouncycastle_1.59-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsgMzJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkTeIP/2OKGuQMkjzI1mZgTUXlYR4vzQ3906btdekc IZ/neYicw8pJ1GaVAZidMd2VpG6dBNOi2lw2hk6WT8KCzzg2en8ka0NXnOFNNQIH SaWleu6YqDPq1zfPoX15OPziXfohogzrLh+T7rKpcSdjz4twNG2vShKT55JBN1Ml O4tzJzG5GWRv96Q0FUDYMxCOL4sZdJxaH0OCqA5+zairhrzIiGdaOkQ0E013KANP rmT3i1HR9sXIynNLSK1DimHo45yLfAMgURKg9mq70O2LoO7knFAndH+2s+KlAWVa pLhGnnA3ZkZCXG/z/T9+K/C3GlegAleyLrsT2AjMAur/9MXHXiKaPd3W1JFsLc8s 4cqU8Te0hqjtmr5rGd82UIBIlIPe7XNCW8303deVDzUpI25eCNICu4ie98jWseQb yKwf6nM7+6xt8EkUzcJpWVRfIa3rKzvNoE9XR9TZgTBLl/aZCMB0pMS0kPdja0EA APFv3hvymiW0lEKOEVhAnSlMh4n5E3+K2Snd3h/Hy9KQy5TI8rnT67Bok1UbJ+VR rEIK5jQDWUgtfrTBW1qZf0+QjCuGm9xsT8aWEf8EFOwZ1A7fTVlpTVSA5q879Ptq S6iBF2XDiMx3h33Z9fJGjF9SvFEdJoqg95fu9zlcLKEg3R7YHM4dZ584G+uECB64 8n4dr2Wc =n8sO -----END PGP SIGNATURE-----
--- End Message ---
