[Ach] Fwd: [SECURITY] [DSA 3417-1] bouncycastle security update
Aaron Zauner
azet at azet.org
Tue Dec 15 13:41:35 CET 2015
We had the same Talk at Bsides Vienna :)
Aaron
Torsten Gigler wrote:
> Hi,
>
> and there has been a nice talk at the German OWASP Day:
> https://www.owasp.org/images/4/4c/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf
>
> regards
> Torsten
>
> 2015-12-15 2:14 GMT+01:00 L. Aaron Kaplan <aaron at lo-res.org
> <mailto:aaron at lo-res.org>>:
>
>
> FYI
>
>
> > Begin forwarded message:
> >
> > From: Luciano Bello <luciano at debian.org <mailto:luciano at debian.org>>
> > Subject: [SECURITY] [DSA 3417-1] bouncycastle security update
> > Date: 14 Dec 2015 13:51:06 CET
> > To: bugtraq at securityfocus.com <mailto:bugtraq at securityfocus.com>
> > Resent-From: list at bendel.debian.org
> <mailto:list at bendel.debian.org> (Mailing List Manager)
> > Resent-Cc: recipient list not shown: ;
> > Reply-To: listadmin at SECURITYFOCUS.COM
> <mailto:listadmin at SECURITYFOCUS.COM>
> >
> > Signed PGP part
> >
> -------------------------------------------------------------------------
> > Debian Security Advisory DSA-3417-1
> security at debian.org <mailto:security at debian.org>
> > https://www.debian.org/security/
> Luciano Bello
> > December 14, 2015
> https://www.debian.org/security/faq
> >
> -------------------------------------------------------------------------
> >
> > Package : bouncycastle
> > CVE ID : CVE-2015-7940
> > Debian Bug : 802671
> >
> > Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz
> > Institute for IT Security, published a paper in ESORICS 2015 where
> they
> > describe an invalid curve attack in Bouncy Castle Crypto, a Java
> library
> > for cryptography. An attacker is able to recover private Elliptic
> Curve
> > keys from different applications, for example, TLS servers.
> >
> > More information:
> >
> http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
> > Practical Invalid Curve Attacks on TLS-ECDH:
> > http://euklid.org/pdf/ECC_Invalid_Curve.pdf
> >
> > For the oldstable distribution (wheezy), this problem has been fixed
> > in version 1.44+dfsg-3.1+deb7u1.
> >
> > For the stable distribution (jessie), this problem has been fixed in
> > version 1.49+dfsg-3+deb8u1.
> >
> > For the unstable distribution (sid), this problem has been fixed in
> > version 1.51-2.
> >
> > We recommend that you upgrade your bouncycastle packages.
> >
> > Further information about Debian Security Advisories, how to apply
> > these updates to your system and frequently asked questions can be
> > found at: https://www.debian.org/security/
> >
> > Mailing list: debian-security-announce at lists.debian.org
> <mailto:debian-security-announce at lists.debian.org>
> >
> >
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at <mailto:Ach at lists.cert.at>
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151215/aa4830fc/attachment.sig>
More information about the Ach
mailing list