Date: Thu, 22 Oct 2015 12:25:12 +0200 From: Raphael Hertzog <hertzog@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE Request: invalid curve attack on bouncycastle Hello, bouncycastle versions older than 1.51 are vulnerable to an invalid curve attack as described in this article: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html The attack allows to extract private keys used in elliptic curve crytpography with a few thousands queries. According to upstream developer Peter Dettman, the issue has been fixed with those two commits: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a Could a CVE be assigned to this issue? Thank you. PS: Please CC me as I'm not subscribed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ