libjbcrypt-java: CVE-2015-0886

Debian Bug report logs - #780102
libjbcrypt-java: CVE-2015-0886

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libjbcrypt-java: CVE-2015-0886

Date: Mon, 09 Mar 2015 11:33:51 +0100

Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097

Cheers,
         Moritz

Message #10 received at 780102@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 780102@bugs.debian.org

Subject: Re: Bug#780102: libjbcrypt-java: CVE-2015-0886

Date: Mon, 09 Mar 2015 15:00:27 +0100

Thank you for the report Moritz.

According to the Bugzilla report the issue happens when BCrypt.gensalt()
is called with the value 31. jenkins is the only package using this
library and it calls this method with no parameter [1], the default
value being 10 [2].

So I don't think this issue is critical for Jessie.

Emmanuel Bourg

[1]
https://sources.debian.net/src/jenkins/1.565.3-3/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java/#L645
[2] https://sources.debian.net/src/libjbcrypt-java/0.3-4/BCrypt.java/#L66

Message #15 received at 780102@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Debian Java Maintainers <debian-java@lists.debian.org>

Cc: debian-lts@lists.debian.org, 780102@bugs.debian.org

Subject: About the security issues affecting libjbcrypt-java in Squeeze

Date: Tue, 10 Mar 2015 11:27:58 +0100

Hello dear maintainer(s),

the Debian LTS team recently reviewed the security issue(s) affecting your
package in Squeeze:
https://security-tracker.debian.org/tracker/CVE-2015-0886

We decided that we would not prepare a squeeze security update (usually
because the security impact is low and that we concentrate our limited
resources on higher severity issues and on the most widely used packages).
That said the squeeze users would most certainly benefit from a fixed
package.

If you want to work on such an update, you're welcome to do so. Please
try to follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. However please make sure to
submit a tested package.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #20 received at 780102@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 780102@bugs.debian.org

Subject: Re: Bug#780102: libjbcrypt-java: CVE-2015-0886

Date: Wed, 18 Mar 2015 22:21:26 +0100

On Mon, Mar 09, 2015 at 03:00:27PM +0100, Emmanuel Bourg wrote:
> Thank you for the report Moritz.
> 
> According to the Bugzilla report the issue happens when BCrypt.gensalt()
> is called with the value 31. jenkins is the only package using this
> library and it calls this method with no parameter [1], the default
> value being 10 [2].
> 
> So I don't think this issue is critical for Jessie.

Ok. It probably fairly unlikely that external Java applications
use the shipped libjbcrypt-java package.

Cheers,
        Moritz

Message #27 received at 780102-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 780102-close@bugs.debian.org

Subject: Bug#780102: fixed in libjbcrypt-java 0.4-1

Date: Thu, 02 Apr 2015 22:19:08 +0000

Source: libjbcrypt-java
Source-Version: 0.4-1

We believe that the bug you reported is fixed in the latest version of
libjbcrypt-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 780102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libjbcrypt-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 02 Apr 2015 23:47:58 +0200
Source: libjbcrypt-java
Binary: libjbcrypt-java
Architecture: source all
Version: 0.4-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 libjbcrypt-java - Java implementation of OpenBSD's Blowfish hashing
Closes: 780102
Changes:
 libjbcrypt-java (0.4-1) experimental; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Fixes CVE-2015-0886 (Closes: #780102)
     - Added a build dependency on ant
   * Removed the javadoc from libjbcrypt-java
   * Renamed the jar installed in /usr/share/java to jbcrypt.jar
   * Standards-Version updated to 3.9.6 (no changes)
   * Use canonical URLs for the Vcs-* fields
   * Switch to debhelper level 9
Checksums-Sha1:
 7e7901c0374ac2517ef954d8beed375ea4431d62 2031 libjbcrypt-java_0.4-1.dsc
 80a9945192d30c379807736e842acfec649e02ee 15167 libjbcrypt-java_0.4.orig.tar.gz
 3a304184aa5ac5a497b89db1a4735c3eb18a04b1 3792 libjbcrypt-java_0.4-1.debian.tar.xz
 91fe5dfa474f762df1a9f18f1be395928db6f45a 17202 libjbcrypt-java_0.4-1_all.deb
Checksums-Sha256:
 0e950424c553e035019d7aee813ce231657e75dfd6060e180f1bffde953cd8dc 2031 libjbcrypt-java_0.4-1.dsc
 1c20d5b1d179fb63d9a4eb295f70c96e29cdbdb6173150838540210210623053 15167 libjbcrypt-java_0.4.orig.tar.gz
 b6e65afc5519a640cf35dbe17fd860216bc125c5fe3b90412dbf74b5cc34997c 3792 libjbcrypt-java_0.4-1.debian.tar.xz
 c4d544637ef276c55593cf1e8a1517909485cf0b0a339bd86e9ea321f47252f2 17202 libjbcrypt-java_0.4-1_all.deb
Files:
 2a4fbaa93f974c1b376489c31a1f9c9b 2031 java optional libjbcrypt-java_0.4-1.dsc
 8d059246e055a0ea9bcbf0463e439f3d 15167 java optional libjbcrypt-java_0.4.orig.tar.gz
 86df0aa0898fa2c93dc76886b50c13ad 3792 java optional libjbcrypt-java_0.4-1.debian.tar.xz
 1901c35083956d4446ac6bd3ed74ea42 17202 java optional libjbcrypt-java_0.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVHbniAAoJEPUTxBnkudCsL04P/Agzg0KjUqzsdBR00YJTQO/D
xhzlfUwZOZFf2rEMHL88gurvzKsqIYXd08sr3wbM8uz07nexdYcEeStoQxwNwZD/
1hFwIX2sFua0eoVpdyuABAuPUQz347hxAvdNzbagROwOVqrwf7aUj+cSS261hhDa
QT+pCWfn7MEnoXHN2Ye9s7jBvGQk7eIoPwh7WQ4qJoELTHBCsOumecA80UEua76e
cP7fsmU6qzwfl49w8lombV2MZ1O2s06rt5R4/kZm/Tv7GaC/Jmeuizi71NgQ9J06
sYqbf8oATftA2yivyo3T/VN4szbshlSs6+arsK6MAbx9yo26SOMNYnhmoBCdx3jE
+iAFKmSZE7tKhzxORmyJGkIkSl1B4QpLpDNhxNncopxdV8JmdrgSjQZHlNi05lgh
ZeyG0e9e3c1IUwVyGAmABx435pMHjywPswn5b2ODjA9jc48RyMNrBeyaZy87wV5H
gzaKuwd/J9xGEtaZwA3AghW+tHJ2CEdhsdMWhJVuhQKn7Yjwxm164tA53sYtwae6
/6yHDRkXO3BpBOyL+ILHAdu8qLiDBRlRJJJEQvB5tYDn8iO2xzXfXNuLDqhqatcj
J1rKyTrL7xqd1Jtp8GbKkWVXQS5DlZNr05yVr7Qz6DrW+FyYXIGMIYUQJ0H4meKD
eHe772hgbrn7fchsRaoA
=vQmd
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.