Debian Bug report logs -
#900843
bouncycastle: CVE-2018-1000180
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#900843; Package src:bouncycastle.
(Tue, 05 Jun 2018 20:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 05 Jun 2018 20:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bouncycastle
Version: 1.54-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://www.bouncycastle.org/jira/browse/BJA-694
Hi,
The following vulnerability was published for bouncycastle.
CVE-2018-1000180[0]:
| Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier
| have a flaw in the Low-level interface to RSA key pair generator,
| specifically RSA Key Pairs generated in low-level API with added
| certainty may have less M-R tests than expected. This appears to be
| fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
[1] https://www.bouncycastle.org/jira/browse/BJA-694
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#900843.
(Tue, 12 Jun 2018 20:57:04 GMT) (full text, mbox, link).
Message #8 received at 900843-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #900843 in bouncycastle reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/java-team/bouncycastle/commit/6affe8490f67c57e78e03b92964f7bd47ca12bad
------------------------------------------------------------------------
Fix CVE-2018-1000180.
Closes: #900843
Thanks: Salvatore Bonaccorso for the report.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/900843
Added tag(s) pending.
Request was from apo@debian.org
to 900843-submitter@bugs.debian.org.
(Tue, 12 Jun 2018 20:57:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Tue, 12 Jun 2018 21:21:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Jun 2018 21:21:04 GMT) (full text, mbox, link).
Message #15 received at 900843-close@bugs.debian.org (full text, mbox, reply):
Source: bouncycastle
Source-Version: 1.59-2
We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated bouncycastle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Jun 2018 22:38:03 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source
Version: 1.59-2
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta
libbcpg-java - Bouncy Castle generators/processors for OpenPGP
libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation)
libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document
libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation)
Closes: 900843
Changes:
bouncycastle (1.59-2) unstable; urgency=high
.
* Team upload.
* Fix CVE-2018-1000180.
Thanks to Salvatore Bonaccorso for the report. (Closes: #900843)
* Declare compliance with Debian Policy 4.1.4.
Checksums-Sha1:
8479b54fad0a1916d37f5b8ed952853234841beb 2689 bouncycastle_1.59-2.dsc
928453e2f446dac242b23edf2cd5c9cf1a20389d 10916 bouncycastle_1.59-2.debian.tar.xz
9be9f1a5aab757fe6a58c2fba657618a635fea71 13517 bouncycastle_1.59-2_amd64.buildinfo
Checksums-Sha256:
b0af99556e6d342bae59a1005e3fd870af15bc3d597c85e24df813a179084c44 2689 bouncycastle_1.59-2.dsc
22e3958b04ffba849634487a6ee31e86e60ab68e38c24070164d2f024c1b6597 10916 bouncycastle_1.59-2.debian.tar.xz
69811561c4c1521bddd726643c491098768fd89590ae425b335f95573d63b336 13517 bouncycastle_1.59-2_amd64.buildinfo
Files:
e1980be2e327015622f0b17fc915a79f 2689 java optional bouncycastle_1.59-2.dsc
bf181d023e6f46b63bc488cf79ff00bb 10916 java optional bouncycastle_1.59-2.debian.tar.xz
906cfe0313b8f226d2056bbee2d3802c 13517 java optional bouncycastle_1.59-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsgMzJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTeIP/2OKGuQMkjzI1mZgTUXlYR4vzQ3906btdekc
IZ/neYicw8pJ1GaVAZidMd2VpG6dBNOi2lw2hk6WT8KCzzg2en8ka0NXnOFNNQIH
SaWleu6YqDPq1zfPoX15OPziXfohogzrLh+T7rKpcSdjz4twNG2vShKT55JBN1Ml
O4tzJzG5GWRv96Q0FUDYMxCOL4sZdJxaH0OCqA5+zairhrzIiGdaOkQ0E013KANP
rmT3i1HR9sXIynNLSK1DimHo45yLfAMgURKg9mq70O2LoO7knFAndH+2s+KlAWVa
pLhGnnA3ZkZCXG/z/T9+K/C3GlegAleyLrsT2AjMAur/9MXHXiKaPd3W1JFsLc8s
4cqU8Te0hqjtmr5rGd82UIBIlIPe7XNCW8303deVDzUpI25eCNICu4ie98jWseQb
yKwf6nM7+6xt8EkUzcJpWVRfIa3rKzvNoE9XR9TZgTBLl/aZCMB0pMS0kPdja0EA
APFv3hvymiW0lEKOEVhAnSlMh4n5E3+K2Snd3h/Hy9KQy5TI8rnT67Bok1UbJ+VR
rEIK5jQDWUgtfrTBW1qZf0+QjCuGm9xsT8aWEf8EFOwZ1A7fTVlpTVSA5q879Ptq
S6iBF2XDiMx3h43Z9fJGjF9SvFEdJoqg95fu9zlcLKEg3R7YHM4dZ584G+uECB64
8n4dr2Wc
=n8sO
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 24 Jun 2018 16:21:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Jun 2018 16:21:15 GMT) (full text, mbox, link).
Message #20 received at 900843-close@bugs.debian.org (full text, mbox, reply):
Source: bouncycastle
Source-Version: 1.56-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated bouncycastle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Jun 2018 00:25:10 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source all
Version: 1.56-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta
libbcpg-java - Bouncy Castle generators/processors for OpenPGP
libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation)
libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document
libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation)
Closes: 900843
Changes:
bouncycastle (1.56-1+deb9u2) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2018-1000180. (Closes: #900843)
Checksums-Sha1:
9dd3d448f48681b4f4185c91a0940dda3d5aae75 2717 bouncycastle_1.56-1+deb9u2.dsc
dbbf5e0838df8ec09283c660f87085a41a3ffc8e 11116 bouncycastle_1.56-1+deb9u2.debian.tar.xz
375f5e273c7a1f465c6f24093f3cb92d460d8f94 13341 bouncycastle_1.56-1+deb9u2_amd64.buildinfo
e3a0c95cf01b025b34edeee3f17cc6a46ca9253b 97576 libbcmail-java-doc_1.56-1+deb9u2_all.deb
8981ac328cc8803d5315af0960108d26cbf36f84 152204 libbcmail-java_1.56-1+deb9u2_all.deb
6c702f40025f244d1b97a014a120e3948b4a6aa2 186052 libbcpg-java-doc_1.56-1+deb9u2_all.deb
3c1e54ef88003db94a7173137b3210050940c0c9 351418 libbcpg-java_1.56-1+deb9u2_all.deb
c69aef85789d5064c9ce6a9d0d80923221adb890 338980 libbcpkix-java-doc_1.56-1+deb9u2_all.deb
93448a45941e6af7a3a31598749c8a58f8e909ed 714420 libbcpkix-java_1.56-1+deb9u2_all.deb
81b10686b2a8e3d25a0080a2b40b2c3ab588ba3c 1934500 libbcprov-java-doc_1.56-1+deb9u2_all.deb
f79f4eb6eb8fad72f785ef926472649341af4d03 3636712 libbcprov-java_1.56-1+deb9u2_all.deb
Checksums-Sha256:
06d1564827028cf629d249a54e0072238f48217a7e8f174fc59b2a9aa3cf10fc 2717 bouncycastle_1.56-1+deb9u2.dsc
f54f53056e39e670926c8dedabe8833d5b205c9ca17a31b6cbd0b4810dddc4d0 11116 bouncycastle_1.56-1+deb9u2.debian.tar.xz
69cbf079e06f1ef7347caf5612b4283b1b740560d1e3f8d09d3c2c991a01c48e 13341 bouncycastle_1.56-1+deb9u2_amd64.buildinfo
9edcd2c7b26803144396941bf1e964e5bc7e708455fc5e79244aa025eaed29b5 97576 libbcmail-java-doc_1.56-1+deb9u2_all.deb
96c56d1c2ccb9c9cf0f86d34901770cd5b7cb067ced1a51f0557f80da8738132 152204 libbcmail-java_1.56-1+deb9u2_all.deb
6236810eb039380d8d09e111d9ddbe22793e6b920af4e8eb7ce529d16d6e5246 186052 libbcpg-java-doc_1.56-1+deb9u2_all.deb
1596361f9b0ccce3fdc8ae7990f74b985bb2af07dcdb8aa4ac00ca54343d4b1f 351418 libbcpg-java_1.56-1+deb9u2_all.deb
bca5c860c0efd088e33f0b11515e2017759f7a93190e8a2b93e05a9e383e062b 338980 libbcpkix-java-doc_1.56-1+deb9u2_all.deb
49e85bb11bf23da62a657f28a8874437a07599e8e657704c57381b600a80c435 714420 libbcpkix-java_1.56-1+deb9u2_all.deb
e556503f9285d7278db0dc80f34948c2d6f505f534e4159df7aab6b2b325d2ea 1934500 libbcprov-java-doc_1.56-1+deb9u2_all.deb
478823d9ccbab9b29dd711ec7603a2b8d9bf014370ae5a707ab19258ac3ae431 3636712 libbcprov-java_1.56-1+deb9u2_all.deb
Files:
fbf2308db7aec423a0f05864e76a0690 2717 java optional bouncycastle_1.56-1+deb9u2.dsc
f72a4bb0fa4f14411bbda5d2bcbbd3bd 11116 java optional bouncycastle_1.56-1+deb9u2.debian.tar.xz
5fdb0e5c8157497c65e0f8aab7f50f6a 13341 java optional bouncycastle_1.56-1+deb9u2_amd64.buildinfo
bfa82b35567779ef69e0683a268ed087 97576 doc optional libbcmail-java-doc_1.56-1+deb9u2_all.deb
631dea159d731e34ba188026bc42e99c 152204 java optional libbcmail-java_1.56-1+deb9u2_all.deb
c6da6cace005325bfac59cc034d6d935 186052 doc optional libbcpg-java-doc_1.56-1+deb9u2_all.deb
231cbb8f8ddd66bb9b12c81b27572b47 351418 java optional libbcpg-java_1.56-1+deb9u2_all.deb
7e3bb1e0cc4a7d79b36ffc17de18aa9d 338980 doc optional libbcpkix-java-doc_1.56-1+deb9u2_all.deb
8f4d2bfd5703705f76e87ac5740e9f98 714420 java optional libbcpkix-java_1.56-1+deb9u2_all.deb
5d5220e90166cfcc0a7dd1842fcacc11 1934500 doc optional libbcprov-java-doc_1.56-1+deb9u2_all.deb
88d8c3a8e22e2882e08b29f34f2e160a 3636712 java optional libbcprov-java_1.56-1+deb9u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlshjLpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkY1sQAJFL5GEgUJp9LdjEmewUWvmb2dzrKADYiarK
wZ4cYkCDuVYsoKvTFG6Py4VBTIa16KK1Sy8tohYe94VpwN8C4K0dC0xSziyJ2jRH
wSBCffzAJp0Ort2bzlDzXkDQyXSqcqc/FPRBd732LEuV53z7EBIT4OffoihdHXxF
NTIgDKxE6yWLPyh4zobBmLyuI5svpgxMW/H9i8T4TGedNhvnMI+drk4zMpRLg9rk
32TgQ3z9gg3ZumqmXZU6WjvP2fgr2Rn3kKOCQzl/leb8Xc5o7nADvhRYqNoEiyee
rLJ1wu66IQGbnjjQxpgMsLqucb98fpOVEB0ClqKnrYwMJSRGYkQoZYfW5HNCJdAa
lHjfBlQlAVOi4QRg0/ry1W/4HJrrY4VjFvPd2eN7hmcX082DK50qcLPaLVmyyXVh
xpqBd2A7jbfDlgPc835bsI/2SEL9cPIOtEUGxvNCuVqcSv2UH3Rv68OHzSAEjQDI
eOFWhxCycq4xT3UPKfdqf0QTCJRJQIIgIIWitS8xbMCB9Vwg1Q1kH464w7j4KKUe
P6NK1Ei7byDe/U8OoJqKLAU52YWdnOcDqx408L44PuvhdF+0n0d+ACUksRyCS889
rGbXSbOD0qZxCdKomX7u6KOBmAAegNZpBq5X5rH3JjYm2IO64/ie55d78Tw7ALZ6
Y30tVaDf
=7jaa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 10 Aug 2018 07:26:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:26:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon