A CVE has been requested for a security issue fixed in bouncycastle 1.51:
The upstream commits to fix the issue are also linked in the message above.
Steps to Reproduce:
CVE-2015-7940 has been assigned:
bouncycastle new security issue fixed upstream in 1.51 =>
bouncycastle new security issue fixed upstream in 1.51 (CVE-2015-7940)
Tested upstream commits as patchs, they don't apply cleanly on mga5 1.50 sources.
OK. If it isn't easy enough to fix the patches to apply, then I guess we'll just have to update it to 1.51 or 1.52.
tested too, the patches does not apply cleanly. Before updating we have to make there is no BIC
OpenSuSE has issued an advisory for this today (November 4):
(In reply to David Walser from comment #5)
> OpenSuSE has issued an advisory for this today (November 4):
Also available at this URL:
Debian has issued an advisory for this on December 14:
They added some patches backported to 1.49:
CVE-2015-7940 should be fixed now for mga5 too, adding patch from Fedora 22 (Backport EC implementation from BC 1.51)
Also I added another patch from Fedora to fix buffer underflow (rhbz#1218258).
Updated bouncycastle packages fix security vulnerability:
The Bouncy Castle Java library before 1.51 does not validate a point is withing
the elliptic curve, which makes it easier for remote attackers to obtain
private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key
exchanges, aka an "invalid curve attack" (CVE-2015-7940).
Updated packages in core/updates_testing:
This one looks like a six month project. As far as I can tell there are some test programs but it is not clear how you get hold of them or how they are run. Definitely for someone expert in java and well-versed in the language used for instance in the documentation file at https://www.bouncycastle.org/documentation.html. There seem to be various requirements like "you must use the signed jar for the provider" and "you must download the unrestricted policy files for the Sun JCE". First you have to know what "provider" means. Too obscure for me so over to the experts.
(In reply to Len Lawrence from comment #10)
> Too obscure for me so over to the experts.
Nope. It's a Java package. Just ensure that it upgrades cleanly.
mga5 x86_64 Mate
OK David. That's done.
$ sudo urpmi bouncycastle
A requested package cannot be installed:
bouncycastle-1.50-3.mga5.noarch (in order to keep bouncycastle-1.50-3.1.mga5.noarch)
Continue installation anyway? (Y/n) n
# locate bouncycastle
mga5 i586 vbox Mate
The same package installs fine for 32-bit architecture. Thought it worth checking.
bouncycastle search returned:
Validating this. Please push to 5 updates.
MGA5-64-OK MGA5-32-OK =>
MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository.