Your message dated Tue, 23 Sep 2025 18:19:12 +0000
with message-id <[email protected]>
and subject line Bug#1116054: fixed in libscram-java 3.2-1
has caused the Debian Bug report #1116054,
regarding libscram-java: CVE-2025-59432
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1116054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116054
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libscram-java
Version: 3.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libscram-java.
CVE-2025-59432[0]:
| SCRAM (Salted Challenge Response Authentication Mechanism) is part
| of the family of Simple Authentication and Security Layer (SASL, RFC
| 4422) authentication mechanisms. Prior to version 3.2, a timing
| attack vulnerability exists in the SCRAM Java implementation. The
| issue arises because Arrays.equals was used to compare secret values
| such as client proofs and server signatures. Since Arrays.equals
| performs a short-circuit comparison, the execution time varies
| depending on how many leading bytes match. This behavior could allow
| an attacker to perform a timing side-channel attack and potentially
| infer sensitive authentication material. All users relying on SCRAM
| authentication are impacted. This vulnerability has been patched in
| version 3.1 by replacing Arrays.equals with MessageDigest.isEqual,
| which ensures constant-time comparison.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59432
https://www.cve.org/CVERecord?id=CVE-2025-59432
[1] https://github.com/ongres/scram/security/advisories/GHSA-3wfh-36rx-9537
[2]
https://github.com/ongres/scram/commit/e0b0cf99f05406a0d26682c72fcb5728e95124b3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libscram-java
Source-Version: 3.2-1
Done: Christoph Berg <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libscram-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <[email protected]> (supplier of updated libscram-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 23 Sep 2025 18:13:50 +0200
Source: libscram-java
Architecture: source
Version: 3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Christoph Berg <[email protected]>
Closes: 1116054
Changes:
libscram-java (3.2-1) unstable; urgency=medium
.
* New upstream version 3.2.
* Fixes timing attacks. (Closes: #1116054, CVE-2025-59432)
Checksums-Sha1:
7c3127854a15ab7d20bf85bfbafd98b3bb4d6326 2109 libscram-java_3.2-1.dsc
15f68ce9b6be4bbf538978d1dae42a1d6c131d0d 73477 libscram-java_3.2.orig.tar.gz
4da8fe96b94e2fee3d2826b55f26ecee30c5227b 3852 libscram-java_3.2-1.debian.tar.xz
Checksums-Sha256:
902471451bdab6fb2ed281a5e11b8d9e553d4811d366679884194c8ccfe017e3 2109
libscram-java_3.2-1.dsc
d0a623d2b313f9fa8290bbd2b19c2e4c803d05716aa35a623b281e0851c07176 73477
libscram-java_3.2.orig.tar.gz
6fecd43d54490c3fd45e3234894506d3649b9110f7fe566af16291297c54e574 3852
libscram-java_3.2-1.debian.tar.xz
Files:
80915cd812d2ed025fd730160c9922f7 2109 java optional libscram-java_3.2-1.dsc
56124901c0c488c4251da34a12e64392 73477 java optional
libscram-java_3.2.orig.tar.gz
11407c32828f29f847a1b46292695966 3852 java optional
libscram-java_3.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAmjS4u0ACgkQTFprqxLS
p67JDRAAmgIA2xHKLZwNm2yoynbpnuA6+C8+ot0dhoU3zOyNae6qRAwqSFbld43G
oXEyGFB+mMni/Ahd7kaGvZoZws9bkb/z0PMH2eMrnbt38nKwVkwQ1mDNFUsr1yIq
DNc0vJoQe9Q0r9m0W7dgTkOFMwszEhThHyutQYLocKxTyx5NA+p/5LG8RROkWFe3
U6GImQXb7dlTSt5SEduUy3CyeWQX/E11oeKfdvZeRD8cjdxzjPnPDUg08T4L8Ly7
lMN+9I2WpudF16JFuuuTTzOGrNKM9FfuQC28Oea8ZhvHDBsVFqYM7CW5bt/nZlXy
EFrhAM1k4LDKT8KYUO2/xJ73RvS3XYd95JIW2j1L3L84x3XzIy/73m9EyYI0sYEJ
FI6kXXeBCU0zBX/sTWf4KzKGzyNgvgb6gcFnoZnhhluOxueW/pmKH6lD8eqfsHvL
eNbg0VPWCmOAecmDxSgKhGV173s1rAIu6v3dG1HPrvMH20to0YR4MOJc3XDMs8UY
CNOAwfYWOl8hDudy71WKcyn/Y31pw1jPpmfGrGc2bsHvDMeKMk1khIHAn3DN9NCb
BWq2T/g5UkSc3K32Mn8Nx7h9a+TE/mxZ/AKD2zTH74Ebk4tjPCGzyqzAdRQNPF4T
f6ZffQ6QrQLPea4oCofklZv0O0bQ4tpw5305a59BMbIa+nyaAwE=
=KI3V
-----END PGP SIGNATURE-----
pgp3Th3Vths3X.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
