[Ach] Fwd: [SECURITY] [DSA 3417-1] bouncycastle security update

Torsten Gigler torsten.gigler at owasp.org
Tue Dec 15 11:50:31 CET 2015 

Hi,

and there has been a nice talk at the German OWASP Day:
https://www.owasp.org/images/4/4c/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf

regards
Torsten

2015-12-15 2:14 GMT+01:00 L. Aaron Kaplan <aaron at lo-res.org>:

>
> FYI
>
>
> > Begin forwarded message:
> >
> > From: Luciano Bello <luciano at debian.org>
> > Subject: [SECURITY] [DSA 3417-1] bouncycastle security update
> > Date: 14 Dec 2015 13:51:06 CET
> > To: bugtraq at securityfocus.com
> > Resent-From: list at bendel.debian.org (Mailing List Manager)
> > Resent-Cc: recipient list not shown: ;
> > Reply-To: listadmin at SECURITYFOCUS.COM
> >
> > Signed PGP part
> > -------------------------------------------------------------------------
> > Debian Security Advisory DSA-3417-1
> security at debian.org
> > https://www.debian.org/security/                            Luciano
> Bello
> > December 14, 2015
> https://www.debian.org/security/faq
> > -------------------------------------------------------------------------
> >
> > Package        : bouncycastle
> > CVE ID         : CVE-2015-7940
> > Debian Bug     : 802671
> >
> > Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz
> > Institute for IT Security, published a paper in ESORICS 2015 where they
> > describe an invalid curve attack in Bouncy Castle Crypto, a Java library
> > for cryptography. An attacker is able to recover private Elliptic Curve
> > keys from different applications, for example, TLS servers.
> >
> > More information:
> >
> http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
> > Practical Invalid Curve Attacks on TLS-ECDH:
> > http://euklid.org/pdf/ECC_Invalid_Curve.pdf
> >
> > For the oldstable distribution (wheezy), this problem has been fixed
> > in version 1.44+dfsg-3.1+deb7u1.
> >
> > For the stable distribution (jessie), this problem has been fixed in
> > version 1.49+dfsg-3+deb8u1.
> >
> > For the unstable distribution (sid), this problem has been fixed in
> > version 1.51-2.
> >
> > We recommend that you upgrade your bouncycastle packages.
> >
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://www.debian.org/security/
> >
> > Mailing list: debian-security-announce at lists.debian.org
> >
> >
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20151215/7be552aa/attachment.html>

More information about the Ach mailing list