Bug 1180215 (CVE-2020-28052)

Summary: VUL-0: CVE-2020-28052: bouncycastle: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password
Product: [openSUSE] openSUSE Distribution Reporter: Johannes Segitz <jsegitz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: pmonrealgonzalez
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/273754/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2020-12-18 12:45:22 UTC 
CVE-2020-28052

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66.
The OpenBSDBCrypt.checkPassword utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.

ouch, bad one

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
https://www.bouncycastle.org/releasenotes.html
Comment 1 Pedro Monreal Gonzalez 2020-12-21 11:37:28 UTC 
Only versions BC 1.65 or BC 1.66 affected, see:
   https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

Updated to version BC 1.67 in Factory:
   https://build.opensuse.org/request/show/857837
   https://www.bouncycastle.org/releasenotes.html

No SLE code is affected.
Comment 3 Johannes Segitz 2021-01-04 08:53:25 UTC 
thank you