Date: Thu, 22 Oct 2015 12:25:12 +0200 From: Raphael Hertzog <hertzog@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE Request: invalid curve attack on bouncycastle Hello, bouncycastle versions older than 1.51 are vulnerable to an invalid curve attack as described in this article: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html The attack allows to extract private keys used in elliptic curve crytpography with a few thousands queries. According to upstream developer Peter Dettman, the issue has been fixed with those two commits: https://github.com/bcgit/bc-java/commit/5cb2f05 https://github.com/bcgit/bc-java/commit/e25e94a Could a CVE be assigned to this issue? Thank you. PS: Please CC me as I'm not subscribed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.