Accepted bouncycastle 1.49+dfsg-3+deb8u3 (source all) into oldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 07 Jul 2018 12:33:00 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source all
Version: 1.49+dfsg-3+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS (Documenta
libbcpg-java - Bouncy Castle generators/processors for OpenPGP
libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP (Documentation)
libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP,
libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Document
libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider (Documentation)
Changes:
bouncycastle (1.49+dfsg-3+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2016-1000338:
DSA does not fully validate ASN.1 encoding of signature on verification.
It is possible to inject extra elements in the sequence making up the
signature and still have it validate, which in some cases may allow the
introduction of 'invisible' data into a signed structure.
* Fix CVE-2016-1000339:
Previously the primary engine class used for AES was AESFastEngine. Due to
the highly table driven approach used in the algorithm it turns out that if
the data channel on the CPU can be monitored the lookup table accesses are
sufficient to leak information on the AES key being used. There was also a
leak in AESEngine although it was substantially less. AESEngine has been
modified to remove any signs of leakage and is now the primary AES class
for the BC JCE provider. Use of AESFastEngine is now only recommended
where otherwise deemed appropriate.
* Fix CVE-2016-1000341:
DSA signature generation is vulnerable to timing attack. Where timings can
be closely observed for the generation of signatures, the lack of blinding
may allow an attacker to gain information about the signature's k value and
ultimately the private value as well.
* Fix CVE-2016-1000342:
ECDSA does not fully validate ASN.1 encoding of signature on verification.
It is possible to inject extra elements in the sequence making up the
signature and still have it validate, which in some cases may allow the
introduction of 'invisible' data into a signed structure.
* Fix CVE-2016-1000343:
The DSA key pair generator generates a weak private key if used with
default values. If the JCA key pair generator is not explicitly initialised
with DSA parameters, 1.55 and earlier generates a private value assuming a
1024 bit key size. In earlier releases this can be dealt with by explicitly
passing parameters to the key pair generator.
* Fix CVE-2016-1000345:
The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In an
environment where timings can be easily observed, it is possible with
enough observations to identify when the decryption is failing due to
padding.
* Fix CVE-2016-1000346:
In the Bouncy Castle JCE Provider the other party DH public key is not
fully validated. This can cause issues as invalid keys can be used to
reveal details about the other party's private key where static
Diffie-Hellman is in use. As of this release the key parameters are checked
on agreement calculation.
Checksums-Sha1:
1d1f7226ef78f6fe5e6236a60059db94e86d8c0e 2759 bouncycastle_1.49+dfsg-3+deb8u3.dsc
5f9b047c00fac1e3d135483b3be999f8ebcc31da 32532 bouncycastle_1.49+dfsg-3+deb8u3.debian.tar.xz
430b9a48547b58faa46619d144e8fc9909c8c964 2008810 libbcprov-java_1.49+dfsg-3+deb8u3_all.deb
cb7ebe628da17b6e2f125917ad6e037eb178b62a 81282 libbcprov-java-doc_1.49+dfsg-3+deb8u3_all.deb
621bbeea1ab32a678a94c065cd5ce4c3a192fb66 116886 libbcmail-java_1.49+dfsg-3+deb8u3_all.deb
11e1499adeaa67fafc745c74f566836290a414a3 98172 libbcmail-java-doc_1.49+dfsg-3+deb8u3_all.deb
0e16e50f3ce29f85b3904ccd9ada9b08ff2b290a 533764 libbcpkix-java_1.49+dfsg-3+deb8u3_all.deb
98938a3ca2412593781a1785deed707830830815 325510 libbcpkix-java-doc_1.49+dfsg-3+deb8u3_all.deb
1f1b1c2102ab01abd68b93771a38073f8af23f11 234924 libbcpg-java_1.49+dfsg-3+deb8u3_all.deb
f0f7581cc68c48c79064ac0acfb67d6038e2f442 35752 libbcpg-java-doc_1.49+dfsg-3+deb8u3_all.deb
Checksums-Sha256:
122071c667b46b15faa9874e9848e3d7544acf64e91f4cba54343807a49c7b56 2759 bouncycastle_1.49+dfsg-3+deb8u3.dsc
a83db13d2143b4dbdb478b1c5806b3696b0f99074b68538e33f1ed0e8deefdbc 32532 bouncycastle_1.49+dfsg-3+deb8u3.debian.tar.xz
fba5778f32a460db4fb799bd552ef952336408d82ac019509cc76bf0b73911a2 2008810 libbcprov-java_1.49+dfsg-3+deb8u3_all.deb
31040a8d3658eea5503367ee5dc76be03890e4f188eefebd89e187751602f64d 81282 libbcprov-java-doc_1.49+dfsg-3+deb8u3_all.deb
2c90d142e8070ae1dd6a126571685fb695619da5b4bb5705151440818b03c4e6 116886 libbcmail-java_1.49+dfsg-3+deb8u3_all.deb
8f7b6ceecf6caa0cb1cda04d47b34c568d5495ac44b8c87d1fe1cf6d882cd51b 98172 libbcmail-java-doc_1.49+dfsg-3+deb8u3_all.deb
ed2112d898ce3690b31f0a4b6c8b4a189bb926b3433287650abbefd6c10917a5 533764 libbcpkix-java_1.49+dfsg-3+deb8u3_all.deb
d8340a03bd53f747a93a91245060fd7fd793ae3c3077b7f8b02067c42a82cb34 325510 libbcpkix-java-doc_1.49+dfsg-3+deb8u3_all.deb
3304ee990487688a34fd4edbc936065bcf7cba1bb3bdc8a5022a968946482f5b 234924 libbcpg-java_1.49+dfsg-3+deb8u3_all.deb
1a9454fd265e45c5d596e830ad470a7c0e6179f58f0cf1c8287e3c953e457895 35752 libbcpg-java-doc_1.49+dfsg-3+deb8u3_all.deb
Files:
c82dbb89e9328afdbc76395813663d61 2759 java optional bouncycastle_1.49+dfsg-3+deb8u3.dsc
7c135268ffe3960619457479ab4e3260 32532 java optional bouncycastle_1.49+dfsg-3+deb8u3.debian.tar.xz
59ee57cc4037fa2eab238710db84308b 2008810 java optional libbcprov-java_1.49+dfsg-3+deb8u3_all.deb
0d2ef582041dcbc9fa5d144933d1408c 81282 doc optional libbcprov-java-doc_1.49+dfsg-3+deb8u3_all.deb
9c31021678432396c56bbb711f4f5d0b 116886 java optional libbcmail-java_1.49+dfsg-3+deb8u3_all.deb
9f0f910e68ddf1fc7ed97ff2d7a47549 98172 doc optional libbcmail-java-doc_1.49+dfsg-3+deb8u3_all.deb
1e2367b8ce0dd033fdc05717898e233e 533764 java optional libbcpkix-java_1.49+dfsg-3+deb8u3_all.deb
47ef6aae53eca1bb6b8b00b0367dacbd 325510 doc optional libbcpkix-java-doc_1.49+dfsg-3+deb8u3_all.deb
9ae39d34482f7c24293b35bf8e65cba1 234924 java optional libbcpg-java_1.49+dfsg-3+deb8u3_all.deb
6c09ec628173cc7fa7f3e458851d167c 35752 doc optional libbcpg-java-doc_1.49+dfsg-3+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAltAmKpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk00UQAJ2XsxbB+uz8IjyXzazjEviVz/rcZpPpmI28
YfeYXjroMzVquH0sqhaHXSOVP2zZSFGgesCckxPRY/1d462H/66dV0YdS7FgbzIG
q3Dpf2jJNjBC3uW+R7RRamfcvHaf3B814JZcpun8iU43xetSton/MlE9MlGuBHI7
lz6nYUD3uGsXUeJwsr0WN9DJMSZMQ+n9SF7dHvWBW+Polwoz+l5dLZN2+yMubCy5
qlrI/pRnmafyQKKyeBvujoVwIvo9Lx0I6836ITJaWY9h7xsQBnA1lYwOzpgnbkvQ
GY1lR8LcQ5gXeIeo4c2Le03qWAnQGCHV6irRhTHYAQIWJz8Ibab9E110bbzRnUdf
mgEDWRLFQveK3u5HYnUr/bCQx/+5Hm5UoOzH9IK+3U6XuObybbImuOzT5E44YJ0N
9KB1ixJGaTpyJl5ZMC4b3TKL2naZFmuTEq4wLIJ1R7DdE9LedSFp42kV3jRbBDco
Gb/qqPqKuoJL8v0ofiX9FsZMLM4NpFHBX2gdVaM59FQK6R3aoWhvlAhBD0qMjv/E
a0m0wkqmJ5B3nCQcEcnkNzDCNAjmV0leFehAdXc2Et2GD8aGNaugK5OqJTQrgdta
ls2QYXiIGgU7Yr7nfrOl7pZaLlRh4PmaVYIpbGvCX6FFNlLOoVRXx51t4/ZZMiwl
ZGl+WUzq
=s2IH
-----END PGP SIGNATURE-----