A CVE has been requested for a security issue fixed in bouncycastle 1.51: http://openwall.com/lists/oss-security/2015/10/22/7 The upstream commits to fix the issue are also linked in the message above. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210, yann.cantin
CVE-2015-7940 has been assigned: http://openwall.com/lists/oss-security/2015/10/22/9
Summary: bouncycastle new security issue fixed upstream in 1.51 => bouncycastle new security issue fixed upstream in 1.51 (CVE-2015-7940)
Status: NEW => ASSIGNED
Tested upstream commits as patchs, they don't apply cleanly on mga5 1.50 sources.
OK. If it isn't easy enough to fix the patches to apply, then I guess we'll just have to update it to 1.51 or 1.52.
tested too, the patches does not apply cleanly. Before updating we have to make there is no BIC
OpenSuSE has issued an advisory for this today (November 4): http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html
URL: (none) => http://lwn.net/Vulnerabilities/663068/
(In reply to David Walser from comment #5) > OpenSuSE has issued an advisory for this today (November 4): > http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html Also available at this URL: http://lists.opensuse.org/opensuse-updates/2015-11/msg00036.html
Debian has issued an advisory for this on December 14: https://www.debian.org/security/2015/dsa-3417 They added some patches backported to 1.49: https://anonscm.debian.org/cgit/pkg-java/bouncycastle.git/commit/?h=jessie-security&id=70396011941d9d2083da8842acbb53f95abd7c58
CVE-2015-7940 should be fixed now for mga5 too, adding patch from Fedora 22 (Backport EC implementation from BC 1.51) Also I added another patch from Fedora to fix buffer underflow (rhbz#1218258).
Thanks David! Advisory: ======================== Updated bouncycastle packages fix security vulnerability: The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack" (CVE-2015-7940). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940 http://lists.opensuse.org/opensuse-updates/2015-11/msg00036.html ======================== Updated packages in core/updates_testing: ======================== bouncycastle-1.50-3.1.mga5 bouncycastle-javadoc-1.50-3.1.mga5 from bouncycastle-1.50-3.1.mga5.src.rpm
Assignee: mageia => qa-bugs
This one looks like a six month project. As far as I can tell there are some test programs but it is not clear how you get hold of them or how they are run. Definitely for someone expert in java and well-versed in the language used for instance in the documentation file at https://www.bouncycastle.org/documentation.html. There seem to be various requirements like "you must use the signed jar for the provider" and "you must download the unrestricted policy files for the Sun JCE". First you have to know what "provider" means. Too obscure for me so over to the experts.
CC: (none) => tarazed25
(In reply to Len Lawrence from comment #10) > Too obscure for me so over to the experts. Nope. It's a Java package. Just ensure that it upgrades cleanly.
mga5 x86_64 Mate OK David. That's done. $ sudo urpmi bouncycastle A requested package cannot be installed: bouncycastle-1.50-3.mga5.noarch (in order to keep bouncycastle-1.50-3.1.mga5.noarch) Continue installation anyway? (Y/n) n # updatedb # locate bouncycastle /etc/java/security/security.d/2000-org.bouncycastle.jce.provider.BouncyCastleProvider /usr/share/doc/bouncycastle /usr/share/doc/bouncycastle-javadoc /usr/share/doc/bouncycastle/CONTRIBUTORS.html /usr/share/doc/bouncycastle/LICENSE.html /usr/share/doc/bouncycastle/index.html /usr/share/doc/bouncycastle-javadoc/LICENSE.html /usr/share/javadoc/bouncycastle /usr/share/javadoc/bouncycastle/index.html /usr/share/javadoc/bouncycastle/releasenotes.html /usr/share/javadoc/bouncycastle/specifications.html /usr/share/javadoc/bouncycastle/tls /usr/share/javadoc/bouncycastle/tls/GnuTLSSetup.html /usr/share/javadoc/bouncycastle/tls/OpenSSLSetup.html /usr/share/maven-metadata/bouncycastle.xml
Whiteboard: (none) => MGA5-64-OK
mga5 i586 vbox Mate The same package installs fine for 32-bit architecture. Thought it worth checking. bouncycastle search returned: /etc/java/security/security.d/2000-org.bouncycastle.jce.provider.BouncyCastleProvider /usr/share/doc/bouncycastle /usr/share/doc/bouncycastle/CONTRIBUTORS.html /usr/share/doc/bouncycastle/LICENSE.html /usr/share/doc/bouncycastle/index.html /usr/share/maven-metadata/bouncycastle.xml Validating this. Please push to 5 updates.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0487.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED