TLS timing attack in bouncycastle (Lucky 13)

Debian Bug report logs - #699885
TLS timing attack in bouncycastle (Lucky 13)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: submit@bugs.debian.org

Subject: TLS timing attack in bouncycastle (Lucky 13)

Date: Wed, 6 Feb 2013 11:45:31 +0100

[Message part 1 (text/plain, inline)]

Package: bouncycastle
Severity: serious
Tags: security

Hi,

Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/

In the advisory, the following information is present about bouncycastle:
"a patch will be included in version 1.48 of the Java library, to be released 
on or about 05/02/2013. The C# version of BouncyCastle will be fixed in CVS at 
a similar time, and included in release 1.8 at a later date."

The generic protocol issue has been assigned CVE name CVE-2013-0169. The 
specific fix for bouncycastle is known as CVE-2013-1624. Please mention these 
identifiers in the changelog.

Can you see to it that this issue is addressed in unstable and testing? And 
are you available to create an update for stable-security?


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 699885-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 699885-close@bugs.debian.org

Subject: Bug#699885: fixed in bouncycastle 1.48+dfsg-1

Date: Sat, 06 Apr 2013 01:00:07 +0000

Source: bouncycastle
Source-Version: 1.48+dfsg-1

We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 699885@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated bouncycastle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 Mar 2013 12:52:23 +0100
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc libbcprov-java-gcj libbcmail-java-gcj libbcpkix-java-gcj libbcpg-java-gcj
Architecture: source all amd64
Version: 1.48+dfsg-1
Distribution: experimental
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description: 
 libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
 libbcmail-java-doc - Documentation for libbcmail-java
 libbcmail-java-gcj - Bouncy Castle generators/processors for S/MIME and CMS
 libbcpg-java - Bouncy Castle generators/processors for OpenPGP
 libbcpg-java-doc - Documentation for libbcpg-java
 libbcpg-java-gcj - Bouncy Castle generators/processors for OpenPGP
 libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
 libbcpkix-java-doc - Documentation for libbcpkix-java
 libbcpkix-java-gcj - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
 libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
 libbcprov-java-doc - Documentation for libbcprov-java
 libbcprov-java-gcj - Bouncy Castle Java Cryptographic Service Provider
Closes: 675819 699885 701698
Changes: 
 bouncycastle (1.48+dfsg-1) experimental; urgency=low
 .
   * Team upload.
   * New upstream release (Closes: #701698)
     - Fixes the Lucky 13 attack on CBC-mode encryption in TLS
       CVE-2013-0169, CVE-2013-1624 (Closes: #699885)
   * Added the bcpkix packages (Closes: #675819)
   * Removed the bctsp packages (the TSP API is now included in bcpkix)
   * Updated Standards-Version to 3.9.4: no changes needed.
   * Removed the DMUA flag
   * Refreshed the patches
   * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package
Checksums-Sha1: 
 36f3c3b813d2dd3ff40d92b7c6a6aaa5ea2fa10d 2759 bouncycastle_1.48+dfsg-1.dsc
 2a6da5d7c093ad94548a2ca173e6f7503a29a5c9 9686374 bouncycastle_1.48+dfsg.orig.tar.gz
 35c7e056236a7a7012530b9016b41e39c352d311 9692 bouncycastle_1.48+dfsg-1.debian.tar.gz
 eb362d36b325259f7f504c1a80f12fd10bf36350 1925518 libbcprov-java_1.48+dfsg-1_all.deb
 7271298889523ceabbfa5da1523c601c7f3df6ac 2000700 libbcprov-java-doc_1.48+dfsg-1_all.deb
 6ac0918459649c893ad6f3d029b20c3dbdef21bb 138208 libbcmail-java_1.48+dfsg-1_all.deb
 c5d4fd7439435ba514a6cabbd6bfca275428a49d 84598 libbcmail-java-doc_1.48+dfsg-1_all.deb
 6b8606dd7d9f7880c482d83cf9b21ecccb5bf993 528640 libbcpkix-java_1.48+dfsg-1_all.deb
 cf8cc3cbce75a82cadb564d34a464862ea887a3d 463402 libbcpkix-java-doc_1.48+dfsg-1_all.deb
 f1572a5786006cb220d0232aeb6e78b4c5cd24ed 256846 libbcpg-java_1.48+dfsg-1_all.deb
 18ec776a549fd30790c1f7e5967a0ab845b120a7 214718 libbcpg-java-doc_1.48+dfsg-1_all.deb
 accf2f7fcf932338b06273aec0b68f9336063fe9 2961492 libbcprov-java-gcj_1.48+dfsg-1_amd64.deb
 0430698fdac7198f586161bbc6b041b0842d4360 122312 libbcmail-java-gcj_1.48+dfsg-1_amd64.deb
 1ba3703c0354a707e8ac512d84d51403bdfdebde 657580 libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb
 67f3941bb175d29774840eb0fad7aca248e21253 315822 libbcpg-java-gcj_1.48+dfsg-1_amd64.deb
Checksums-Sha256: 
 48f335cfe3a057032078d9984a6aeccdc1f1b9e723800ae768ddffb432a9b812 2759 bouncycastle_1.48+dfsg-1.dsc
 f98bde58148c894ec7025b1794b28dc9f745633e4b41760f975552cf13248b47 9686374 bouncycastle_1.48+dfsg.orig.tar.gz
 3cbc822ee715e80208719788a5061747972ad80e411c63030558b3b0a568bb27 9692 bouncycastle_1.48+dfsg-1.debian.tar.gz
 646da2b4613b4c0504c7b4e01d54d9347ac101ebc6d17a1fe06eece9341c86af 1925518 libbcprov-java_1.48+dfsg-1_all.deb
 eef78da0252c89939d72413438615e06ad7118732c949feddbcbec337192ccf5 2000700 libbcprov-java-doc_1.48+dfsg-1_all.deb
 4b29ccefed1a49eff6c8e2a5228f2d5df8a7c27300ffd656dfe7e9409d8ab547 138208 libbcmail-java_1.48+dfsg-1_all.deb
 79df81fe7a1065df2f2c1f835a001fbcdbd3e64728f47971b6a586496045ad44 84598 libbcmail-java-doc_1.48+dfsg-1_all.deb
 42a235558a10e7eb1cc6760dd23d290a9cda10a2f674445f481277c0ecafc334 528640 libbcpkix-java_1.48+dfsg-1_all.deb
 b64318093fa5683be0f5d1e68f6ba8c280fa43ec305b093991e3d87576822372 463402 libbcpkix-java-doc_1.48+dfsg-1_all.deb
 ce999d7f0d441eebe56a32e38b37a67538383ae040e7ea28ef7df5c42316921e 256846 libbcpg-java_1.48+dfsg-1_all.deb
 ac1e497749bfe6eb0d66747445ee645d24d4fade8191d9e5093d462180b54cbc 214718 libbcpg-java-doc_1.48+dfsg-1_all.deb
 b06003966ff8026e84f814296b731fd8913ce5bfb8f6f9bb2c16913ab9c0b1c4 2961492 libbcprov-java-gcj_1.48+dfsg-1_amd64.deb
 ff2f08de6f9d3b962fae949be3b439476fb0661161363b5ec353d63e06bc7942 122312 libbcmail-java-gcj_1.48+dfsg-1_amd64.deb
 b15a01156fa4b9bcb3ebeff7e8ab09bb29619b89fda2d1f979f7eb847813ab57 657580 libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb
 130ebd8feb6a6864b1223752b5bcb3ed1e2fa73846b3fe10c5567de3ce796230 315822 libbcpg-java-gcj_1.48+dfsg-1_amd64.deb
Files: 
 8b4ead0939e3816cdc2ae6d3ffb78098 2759 java optional bouncycastle_1.48+dfsg-1.dsc
 ba1d247b3bd96de883257c255109edc7 9686374 java optional bouncycastle_1.48+dfsg.orig.tar.gz
 08123849e913930a05f035ef00f59c08 9692 java optional bouncycastle_1.48+dfsg-1.debian.tar.gz
 1d848f2795da3547bba51d400838f64b 1925518 java optional libbcprov-java_1.48+dfsg-1_all.deb
 364648137ca5bcb3b4630d06cd089cf8 2000700 doc optional libbcprov-java-doc_1.48+dfsg-1_all.deb
 2dad0f109358718e054197e35e8d3c37 138208 java optional libbcmail-java_1.48+dfsg-1_all.deb
 186d77c89041f2654046b8cd4004bd6c 84598 doc optional libbcmail-java-doc_1.48+dfsg-1_all.deb
 ae805d3193349de56a920548b48d17f9 528640 java optional libbcpkix-java_1.48+dfsg-1_all.deb
 de2e6d61d56a0eaf05041d17a64ac3ed 463402 doc optional libbcpkix-java-doc_1.48+dfsg-1_all.deb
 eea470fcc4080a4ab30fbfe628720b56 256846 java optional libbcpg-java_1.48+dfsg-1_all.deb
 17f97392e5d8ce9ee4b4bceb102dee2a 214718 doc optional libbcpg-java-doc_1.48+dfsg-1_all.deb
 edc482f58a83d94307c60f233db02105 2961492 java optional libbcprov-java-gcj_1.48+dfsg-1_amd64.deb
 3543dfb20ff2881c0bd6da03308f3446 122312 java optional libbcmail-java-gcj_1.48+dfsg-1_amd64.deb
 b509d4c2e11aa338982bce72d1d46429 657580 java optional libbcpkix-java-gcj_1.48+dfsg-1_amd64.deb
 553e44dabf8fb85aa8a3b628647862d4 315822 java optional libbcpg-java-gcj_1.48+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRXQTQAAoJECHSBYmXSz6WucoP/RDYGVcTZWntW5TYcDyz72IC
pDPIyqGg0OUQCGLKX+pgYIFKDYRG7LhnLrZw5rMU5RxUTayjv15vKmeBdxoX1ZwQ
U8VYBWd20n+H7oWXFacPuQIqiUGTpHcTbY7ExIo9hr4nF9GVq8mzxSDywesm13cv
/Oq4iE9syw0yhNWVJ4apwhxQGIstcwPyYD/mOnktuFHxOoy75TeG59kbvSF3qkB3
tx1EoUQYStSqNFKoOHO00kfDtoAlRhC6/stU8UGA0VNTT0r82Pyw+VxI9KUZLw4E
8tnaeNRTYIUz5wdmSE7ugx/S7Xod8qrVSBSrQBmeJsVaEliHgJO6gNh5rF5LELAD
Yulwr1D06qVdIo4CqWwE17o9bPDuN03Z9vSKPjoSD6kAWztkh8qLWjD1nu9acaNs
dpVuNwSGQW6mhKJUij2bSm73Eb7RPGXG5ynuMZ4RbwDEJvzaL5g39vpzosLS4Ehq
1UYmFHhcuhoKRSdJjaCRF514rtcATr5nGo03viYsCjCbF2CWvfC/L8843hJBiZVi
WzYofavDZiOgx1o3yP8h0mEOHLAjX+Y+DKEzGIyJxKWzwiZ7ZMZEo7xVUEUa6LSW
Ll6bvYUcMZD3CjB8/uodIoEJ94Q9ztlVTZcxzbFoKVc2EbfiRlbecw/UCA4hJTFd
uQTmW+pD2qTLxXWNkp1x
=8EW6
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.