First Last Prev Next    This bug is not in your last search results.
Bug 1180215 - (CVE-2020-28052) VUL-0: CVE-2020-28052: bouncycastle: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password
(CVE-2020-28052)
VUL-0: CVE-2020-28052: bouncycastle: OpenBSDBCrypt.checkPassword utility meth...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/273754/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-18 12:45 UTC by Johannes Segitz
Modified: 2022-06-28 12:35 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2020-12-18 12:45:22 UTC 
CVE-2020-28052

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66.
The OpenBSDBCrypt.checkPassword utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different.

ouch, bad one

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
https://www.bouncycastle.org/releasenotes.html
Comment 1 Pedro Monreal Gonzalez 2020-12-21 11:37:28 UTC 
Only versions BC 1.65 or BC 1.66 affected, see:
   https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

Updated to version BC 1.67 in Factory:
   https://build.opensuse.org/request/show/857837
   https://www.bouncycastle.org/releasenotes.html

No SLE code is affected.
Comment 3 Johannes Segitz 2021-01-04 08:53:25 UTC 
thank you
First Last Prev Next    This bug is not in your last search results.