Date: Thu, 22 Oct 2015 14:08:10 -0400 (EDT) From: cve-assign@...re.org To: hertzog@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: invalid curve attack on bouncycastle -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > bouncycastle versions older than 1.51 are vulnerable to an > invalid curve attack as described in this article: > http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html > > The attack allows to extract private keys used in elliptic curve > cryptography with a few thousands queries. > > According to upstream developer Peter Dettman, the issue has been fixed > with those two commits: > https://github.com/bcgit/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83 > https://github.com/bcgit/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04 Use CVE-2015-7940. A Bouncy Castle product intentionally has a unique CVE ID because of its independent codebase. However, as noted in the practical-invalid-curve-attacks.html posting, the issue is related to CVE-2015-2613. The MITRE CVE team plans to update http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2613 to reflect the additional information from Juraj Somorovsky. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWKSUrAAoJEL54rhJi8gl532EP/i5pdcg7gnrde6hmPBG0i4p1 hiw0AHUkbXOZQi7X8Em7xdfRgZ4/jGVQFovQDfoB2DyDna5wgcdVgICp3cWrKDIG v/E6UniIV1ksn7IXgY6SWEHBNoAO8NeIpeYJVXAZiQRquOv07efVbDq3UpUBF1lx DqeN81DnnM0G7w/c39HsKsBYhgTbMK1uAQuwi0eH9X02P1DNkUB8Ppbs94TtnmFL q8zlFEawj3XZxOL1Q/6Sxf/UnCD3l1rUilZI+etQgaDUZwBrMSR2Owcx4UD9zZPd nyc8gL0yUSxfFz+svLcivCVq2ORFMpxpDJ4d5yTLb9dFQm2wwQN68zS/qUL9cJ8x 3VrRDdWsu2cPBfl1HPAt2th3aFNe8OKy4r4hXWWED1YfMKZsFr//hMOrrmOO197I dm4tX42VTH2lg+nHzdts8bOVi7hIHy6+46mdEtB381cvDCKzs6af8KZU0CsvXeyH a1S493BioNjt15jfn2MLQJx584kvaO5VLI+tGLgWksOX9aMjBMEXRk1Lnslt/fO7 K2e8NM101U0ff5+7eDr/o2EOCpIhY3uZFy5Bu2ZHPG2gi9+D8yAdx5ZyqI/KeMwO yPQe0A3rxboxtPzJ/p3sMlPmADP8yNLxNdQINgOG3ZpzfTscmbmeDITVLsSAj1Gu 9adfN/uWSq8ehtoCeB3s =p0IO -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.