Skip to content
Commit e714c18b authored by Markus Koschany's avatar Markus Koschany
Browse files

Import Debian changes 1.49+dfsg-3+deb8u3 

bouncycastle (1.49+dfsg-3+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2016-1000338:
    DSA does not fully validate ASN.1 encoding of signature on verification.
    It is possible to inject extra elements in the sequence making up the
    signature and still have it validate, which in some cases may allow the
    introduction of 'invisible' data into a signed structure.
  * Fix CVE-2016-1000339:
    Previously the primary engine class used for AES was AESFastEngine. Due to
    the highly table driven approach used in the algorithm it turns out that if
    the data channel on the CPU can be monitored the lookup table accesses are
    sufficient to leak information on the AES key being used. There was also a
    leak in AESEngine although it was substantially less. AESEngine has been
    modified to remove any signs of leakage and is now the primary AES class
    for the BC JCE provider. Use of AESFastEngine is now only recommended
    where otherwise deemed appropriate.
  * Fix CVE-2016-1000341:
    DSA signature generation is vulnerable to timing attack. Where timings can
    be closely observed for the generation of signatures, the lack of blinding
    may allow an attacker to gain information about the signature's k value and
    ultimately the private value as well.
  * Fix CVE-2016-1000342:
    ECDSA does not fully validate ASN.1 encoding of signature on verification.
    It is possible to inject extra elements in the sequence making up the
    signature and still have it validate, which in some cases may allow the
    introduction of 'invisible' data into a signed structure.
  * Fix CVE-2016-1000343:
    The DSA key pair generator generates a weak private key if used with
    default values. If the JCA key pair generator is not explicitly initialised
    with DSA parameters, 1.55 and earlier generates a private value assuming a
    1024 bit key size. In earlier releases this can be dealt with by explicitly
    passing parameters to the key pair generator.
  * Fix CVE-2016-1000345:
    The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In an
    environment where timings can be easily observed, it is possible with
    enough observations to identify when the decryption is failing due to
    padding.
  * Fix CVE-2016-1000346:
    In the Bouncy Castle JCE Provider the other party DH public key is not
    fully validated. This can cause issues as invalid keys can be used to
    reveal details about the other party's private key where static
    Diffie-Hellman is in use. As of this release the key parameters are checked
    on agreement calculation.
parent f2ab7b52
Expand all Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment