bouncycastle: CVE-2020-28052

Debian Bug report logs - #977683
bouncycastle: CVE-2020-28052

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bouncycastle: CVE-2020-28052

Date: Fri, 18 Dec 2020 21:34:27 +0100

Source: bouncycastle
Version: 1.65-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for bouncycastle, it affects
1.65 and 1.66 and is fixed in 1.67.

CVE-2020-28052[0]:
| An issue was discovered in Legion of the Bouncy Castle BC Java 1.65
| and 1.66. The OpenBSDBCrypt.checkPassword utility method compared
| incorrect data when checking the password, allowing incorrect
| passwords to indicate they were matching with previously hashed ones
| that were different.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28052
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052
[1] https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
[2] https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
[3] https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219

Regards,
Salvatore

Message #10 received at 977683@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 977683@bugs.debian.org

Subject: bouncycastle: diff for NMU version 1.65-1.1

Date: Sun, 3 Jan 2021 21:27:41 +0100

[Message part 1 (text/plain, inline)]

Control: tags 977683 + patch
Control: tags 977683 + pending


Dear maintainer,
X-Debbugs-CC'ing as well Markus Koschany.

I've prepared an NMU for bouncycastle (versioned as 1.65-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer. Alternatively feel free to as well just
direclty reject it and do a maintainer upload (which anyway is
preferable).

The issue only affects bullseye and unstable, and it should be fixed
in time before the freeze ideally.

Regards,
Salvatore

[bouncycastle-1.65-1.1-nmu.diff (text/x-diff, attachment)]

Message #17 received at 977683-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>

To: 977683-submitter@bugs.debian.org

Subject: Bug#977683 marked as pending in bouncycastle

Date: Mon, 04 Jan 2021 03:25:25 +0000

Control: tag -1 pending

Hello,

Bug #977683 in bouncycastle reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/bouncycastle/-/commit/c5e89481ba59ab50be7adaf006f911926b534cd9

------------------------------------------------------------------------
Corrected constant time equals (CVE-2020-28052) (Closes: #977683)

Thank you to Salvatore Bonaccorso <carnil@debian.org>
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/977683

Message #22 received at 977683@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 977683@bugs.debian.org

Subject: Re: Bug#977683: bouncycastle: diff for NMU version 1.65-1.1

Date: Sun, 3 Jan 2021 19:28:40 -0800

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On Sun, Jan 03, 2021 at 09:27:41PM +0100, Salvatore Bonaccorso wrote:
> Control: tags 977683 + patch
> Control: tags 977683 + pending
> 
> 
> Dear maintainer,
> X-Debbugs-CC'ing as well Markus Koschany.
> 
> I've prepared an NMU for bouncycastle (versioned as 1.65-1.1) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer. Alternatively feel free to as well just
> direclty reject it and do a maintainer upload (which anyway is
> preferable).

Thank you for the patch and the NMU.  I applied your patch and freshened
a few other things in the package and performed a maintainer upload of
1.65-2.

Cheers,
tony

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 977683-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 977683-close@bugs.debian.org

Subject: Bug#977683: fixed in bouncycastle 1.65-2

Date: Mon, 04 Jan 2021 05:18:24 +0000

Source: bouncycastle
Source-Version: 1.65-2
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977683@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated bouncycastle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jan 2021 18:39:32 -0800
Source: bouncycastle
Architecture: source
Version: 1.65-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 977683
Changes:
 bouncycastle (1.65-2) unstable; urgency=medium
 .
   * Team upload
   * Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
     Thank you to Salvatore Bonaccorso for the patch.
   * Bump Standards-Version to 4.5.1
   * Use https URLs in copyright, control and watch
   * Use debhelper-compat 13
   * Set Rules-Requires-Root: no in debian/control
Checksums-Sha1:
 6187686ad8648351869a947960e09f60632ffd8b 2509 bouncycastle_1.65-2.dsc
 2f07e72cb141bc8e03e7265b5570b63340a4f73e 11068 bouncycastle_1.65-2.debian.tar.xz
 9cc5effd367df4c77944a29d907b88dcef695c20 12810 bouncycastle_1.65-2_amd64.buildinfo
Checksums-Sha256:
 5bc98cb04a1326bb266a8f6ed39cc7c0be0e4ce017b9e906622dd041a1ab94b0 2509 bouncycastle_1.65-2.dsc
 0d0eded8c4616d21851f75e8d31714256b8370a25c7f71bb04e326203e08f63e 11068 bouncycastle_1.65-2.debian.tar.xz
 17881014575afe4f5a4b81ee76a96a15973a7265e70b5a3cdfe575a555775197 12810 bouncycastle_1.65-2_amd64.buildinfo
Files:
 0ce26ef783b0936c94707b9a83b09a48 2509 java optional bouncycastle_1.65-2.dsc
 9da01d2e0127f8a290d49c6408011056 11068 java optional bouncycastle_1.65-2.debian.tar.xz
 990fb7d49f748139ea071fa1d15921d2 12810 java optional bouncycastle_1.65-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAl/yoGwUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb/eA//Z2dm9OL1mzTY6bE/beTtvEHicJPN
2cmCTZm277fH8Fr16FAgj5DkG/3H7ji+fBLLHOKWCOZG7uqPgwtQ2SlTABQPXbQj
6ev5wrRyEYHwjG3IVB4AsFvl0NrUTkkmbPvnDr9fgLfhuFBRM5377CSsvkfCBNlD
nvU6hIzAQcM89EOMDVp0YjgWMxd8VxWMM24uzqjOENrG+Q1aIZZIUrPf58CrmWlq
/tT3Z/6Zb7UiXNh6pCAa0Yua/lYaZD3gb5Bt3YzPWiV9cvITk1cGD9TKGhkyvfGY
snhnZVGNLp7hb4VTp3ntZBu145ZhLtVnI3T9MQ1iANJrkLjIgUrK0wPB6RCTggAx
OhF2Hjh+XZjHM6qRUyzmiNByHh9bTLnJv4/bqKjerHokItBgtcHNZ96oFgLswyB7
CFHRxzLNM6CSoestdo9zIqA4smMTlziUQPAHVr/qIB/zFRMWYwmpEWswp6gYbeWj
54g2mnAadCXvJtN/jXxSf4q5Wz3JnOnkylZUozyrvW6ppbBuuHMSVcf49qUe5RHB
fIpRC4kqo4wBPuRtvcEy5W06VblnOpI95zRHa+5coyaht38ub17k7IQhfYKj1E93
HfDUhqBj9tLSAPc7IjJUKe9woaHbNVhAphqdRHxqAhBlQTC7xoMkFxR/txkRRdAP
KRxv61C01Xhi0VU=
=wdr6
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.