Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Oct 2015 12:25:12 +0200
From: Raphael Hertzog <hertzog@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: invalid curve attack on bouncycastle

Hello,

bouncycastle versions older than 1.51 are vulnerable to an
invalid curve attack as described in this article:
http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

The attack allows to extract private keys used in elliptic curve
crytpography with a few thousands queries.

According to upstream developer Peter Dettman, the issue has been fixed
with those two commits:
https://github.com/bcgit/bc-java/commit/5cb2f05
https://github.com/bcgit/bc-java/commit/e25e94a

Could a CVE be assigned to this issue?

Thank you.

PS: Please CC me as I'm not subscribed.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ