Debian Bug report logs -
#884241
bouncycastle: CVE-2017-13098
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 12 Dec 2017 20:57:04 UTC
Owned by: Markus Koschany <apo@debian.org>
Severity: grave
Tags: patch, security, upstream
Found in versions bouncycastle/1.57-1, bouncycastle/1.56-1
Fixed in versions bouncycastle/1.56-1+deb9u1, bouncycastle/1.58-1
Done: Markus Koschany <apo@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#884241; Package src:bouncycastle.
(Tue, 12 Dec 2017 20:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 12 Dec 2017 20:57:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bouncycastle
Version: 1.57-1
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerability was published for bouncycastle.
CVE-2017-13098[0]:
| Information leak by distinguish valid and invalid RSA PKCS #1 v1.5
| paddings based on different server responses.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-13098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098
[1] https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
[2] https://downloads.bouncycastle.org/betas/
[3] https://www.kb.cert.org/vuls/id/144389
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions bouncycastle/1.56-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 14 Dec 2017 20:18:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#884241; Package src:bouncycastle.
(Sun, 17 Dec 2017 19:30:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 17 Dec 2017 19:30:10 GMT) (full text, mbox, link).
Message #12 received at 884241@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: owner -1 !
I'm working on a fix right now.
Markus
[signature.asc (application/pgp-signature, attachment)]
Owner recorded as Markus Koschany <apo@debian.org>.
Request was from Markus Koschany <apo@debian.org>
to 884241-submit@bugs.debian.org.
(Sun, 17 Dec 2017 19:30:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Markus Koschany <apo@debian.org>:
Bug#884241; Package src:bouncycastle.
(Sun, 17 Dec 2017 20:54:06 GMT) (full text, mbox, link).
Message #17 received at 884241@bugs.debian.org (full text, mbox, reply):
tag 884241 + pending
thanks
Some bugs in the bouncycastle package are closed in revision
e21813f6dff60bdf67e6379e732dca8683ad2580 in branch 'master' by Markus
Koschany
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/bouncycastle.git/commit/?id=e21813f
Commit message:
Apply CVE-2017-13098.patch and fix CVE-2017-13098.
Closes: #884241
Thanks: Salvatore Bonaccorso for the report.
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org.
(Sun, 17 Dec 2017 20:54:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#884241.
(Sun, 17 Dec 2017 20:54:09 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 17 Dec 2017 21:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 17 Dec 2017 21:21:13 GMT) (full text, mbox, link).
Message #27 received at 884241-close@bugs.debian.org (full text, mbox, reply):
Source: bouncycastle
Source-Version: 1.58-1
We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884241@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated bouncycastle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Dec 2017 20:32:38 +0100
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source
Version: 1.58-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta
libbcpg-java - Bouncy Castle generators/processors for OpenPGP
libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation)
libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document
libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation)
Closes: 884241
Changes:
bouncycastle (1.58-1) unstable; urgency=high
.
* Team upload.
* New upstream version 1.58.
* Declare compliance with Debian Policy 4.1.2.
* Apply CVE-2017-13098.patch and fix CVE-2017-13098.
Thanks to Salvatore Bonaccorso for the report. (Closes: #884241)
Checksums-Sha1:
88c9c589553a24ccfd711276959d90666a6639c7 2689 bouncycastle_1.58-1.dsc
20b5f05d8d7f331d77a2d2a70996f2b7ca499821 12145176 bouncycastle_1.58.orig.tar.xz
acdc54e688b62a67564c44f0c26ff3116fa362b0 10440 bouncycastle_1.58-1.debian.tar.xz
05d5154d90914683976ec032f811c33ef075ee89 13774 bouncycastle_1.58-1_amd64.buildinfo
Checksums-Sha256:
1cabe2850e5cd0717c1c9ac2051421ec2fa2b6718ad993bdb345c7b9152d9758 2689 bouncycastle_1.58-1.dsc
9df97df679ea63cde67c20126bc08c51e90f310da335e9cea1df8fca88b36f79 12145176 bouncycastle_1.58.orig.tar.xz
99ecb6f1e88d00a1855371fe04233a706930f4a296c28732e4756da38f020b57 10440 bouncycastle_1.58-1.debian.tar.xz
5c86eed4b61ac84b5f8e37013972c22e147dd15fd369679a940d033e66f0cd1a 13774 bouncycastle_1.58-1_amd64.buildinfo
Files:
1041326bcc7cf76363bf7ac7cfa3d7af 2689 java optional bouncycastle_1.58-1.dsc
a368811cb38c8a5555592861f2171b72 12145176 java optional bouncycastle_1.58.orig.tar.xz
c3cedde5b29e38e45247471a0e66ee9f 10440 java optional bouncycastle_1.58-1.debian.tar.xz
405549d011f5770584fc2d5e73e5d9be 13774 java optional bouncycastle_1.58-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlo22GlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkD9oP/2wLwjHawYyMceLvbIfOrQTdaBH+/3KxU4LP
WdNx/jIN/TlmRSN4vaiPmAiJHKNKunx09lcPwU7k1N/0JMIyzA1TEU3ckGWkRs7K
2qqbEaQXj4haLYlqHfv6rJ44QdWI06qJ1rX2HDCnxexTqH5pWU4ZpjWQHM2+zrqI
jsivq3uGW2AG/1j7UHgZ8AAsuRP+ydV3HPXeZIEabxrWOqotKi7O3WjZU29XCJyO
h4pv/39Eo1NBwDpkg483nNVpKqk5d0fxP6lphaBb5MYQjPPQo3AcMLQiDayOVr7h
J3PJZ3Usywotyg7ZWgXx3rFmLtJ0jZc8fipPdGAiOWCz+3OPnafRjbJtVRMW6aIK
rCBWjQl3GnyFUGWsi4KRFoPxTW0J6ZGTZ6y36qZ3hUgbG1zl+POGuDtyZDOMjB5K
73n9BKqb7Boklu6B1tLhNkd0lxQIzUsmC/VRZ7sBgjExbbBfL2E5/dL8+0TkF3qr
OSEYmU8w/hz7YjqtXsAVil1YX5v+BKSoUfQEoXKX/zYmJWkW3koav5Tubrv/bbjT
5L+5XQFlq/kAmhZKJuPI1y9LrHSib34j93ltNcF1obqBGQApkXh0/1P2CyRS+YSN
DF5BLvBh0l3Q6LdWFqYuGbjEnKlRAkiC35zYbbwpXWAG1naQoR9gCMUYk5+XiEfj
LBsQQW+C
=qXGp
-----END PGP SIGNATURE-----
Marked as fixed in versions bouncycastle/1.56-1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 20 Dec 2017 19:21:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 Mar 2018 07:26:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:45:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon