[Ach] Fwd: [SECURITY] [DSA 3417-1] bouncycastle security update

Aaron Zauner azet at azet.org
Tue Dec 15 13:41:35 CET 2015 

We had the same Talk at Bsides Vienna :)

Aaron

Torsten Gigler wrote:
> Hi,
> 
> and there has been a nice talk at the German OWASP Day:
> https://www.owasp.org/images/4/4c/Practical_Invalid_Curve_Attacks_on_TLS-ECDH_-_Juraj_Somorovsky.pdf
> 
> regards
> Torsten
> 
> 2015-12-15 2:14 GMT+01:00 L. Aaron Kaplan <aaron at lo-res.org
> <mailto:aaron at lo-res.org>>:
> 
> 
>     FYI
> 
> 
>     > Begin forwarded message:
>     >
>     > From: Luciano Bello <luciano at debian.org <mailto:luciano at debian.org>>
>     > Subject: [SECURITY] [DSA 3417-1] bouncycastle security update
>     > Date: 14 Dec 2015 13:51:06 CET
>     > To: bugtraq at securityfocus.com <mailto:bugtraq at securityfocus.com>
>     > Resent-From: list at bendel.debian.org
>     <mailto:list at bendel.debian.org> (Mailing List Manager)
>     > Resent-Cc: recipient list not shown: ;
>     > Reply-To: listadmin at SECURITYFOCUS.COM
>     <mailto:listadmin at SECURITYFOCUS.COM>
>     >
>     > Signed PGP part
>     >
>     -------------------------------------------------------------------------
>     > Debian Security Advisory DSA-3417-1                 
>      security at debian.org <mailto:security at debian.org>
>     > https://www.debian.org/security/                           
>     Luciano Bello
>     > December 14, 2015                   
>      https://www.debian.org/security/faq
>     >
>     -------------------------------------------------------------------------
>     >
>     > Package        : bouncycastle
>     > CVE ID         : CVE-2015-7940
>     > Debian Bug     : 802671
>     >
>     > Tibor Jager, Jörg Schwenk, and Juraj Somorovsky, from Horst Görtz
>     > Institute for IT Security, published a paper in ESORICS 2015 where
>     they
>     > describe an invalid curve attack in Bouncy Castle Crypto, a Java
>     library
>     > for cryptography. An attacker is able to recover private Elliptic
>     Curve
>     > keys from different applications, for example, TLS servers.
>     >
>     > More information:
>     >
>     http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
>     > Practical Invalid Curve Attacks on TLS-ECDH:
>     > http://euklid.org/pdf/ECC_Invalid_Curve.pdf
>     >
>     > For the oldstable distribution (wheezy), this problem has been fixed
>     > in version 1.44+dfsg-3.1+deb7u1.
>     >
>     > For the stable distribution (jessie), this problem has been fixed in
>     > version 1.49+dfsg-3+deb8u1.
>     >
>     > For the unstable distribution (sid), this problem has been fixed in
>     > version 1.51-2.
>     >
>     > We recommend that you upgrade your bouncycastle packages.
>     >
>     > Further information about Debian Security Advisories, how to apply
>     > these updates to your system and frequently asked questions can be
>     > found at: https://www.debian.org/security/
>     >
>     > Mailing list: debian-security-announce at lists.debian.org
>     <mailto:debian-security-announce at lists.debian.org>
>     >
>     >
> 
>     _______________________________________________
>     Ach mailing list
>     Ach at lists.cert.at <mailto:Ach at lists.cert.at>
>     http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20151215/aa4830fc/attachment.sig>

More information about the Ach mailing list