Bugzilla – Bug 1223252
VUL-0: CVE-2024-30171: bouncycastle: timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP)
Last modified: 2024-07-19 16:45:05 UTC
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP). References: https://www.bouncycastle.org/releasenotes.html https://github.com/bcgit/bc-java/issues/1528 https://people.redhat.com/~hkario/marvin/ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-30171 https://bugzilla.redhat.com/show_bug.cgi?id=2276360
Factory update to version 1.78: * https://build.opensuse.org/request/show/1170680
Related upstream commits: * https://github.com/bcgit/bc-java/commit/d7d5e735 * https://github.com/bcgit/bc-java/commit/e5b46eab
These 2 additional commits are also required: * https://github.com/bcgit/bc-java/commit/d37128e6 * https://github.com/bcgit/bc-java/commit/8767f0b2
SUSE-SU-2024:1539-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1223252 CVE References: CVE-2024-30171 Maintenance Incident: [SUSE:Maintenance:33611](https://smelt.suse.de/incident/33611/) Sources used: openSUSE Leap 15.5 (src): bouncycastle-1.78.1-150200.3.29.1 Development Tools Module 15-SP5 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): bouncycastle-1.78.1-150200.3.29.1 SUSE Enterprise Storage 7.1 (src): bouncycastle-1.78.1-150200.3.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1539-2: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1223252 CVE References: CVE-2024-30171 Maintenance Incident: [SUSE:Maintenance:33611](https://smelt.suse.de/incident/33611/) Sources used: Development Tools Module 15-SP6 (src): bouncycastle-1.78.1-150200.3.29.1 openSUSE Leap 15.6 (src): bouncycastle-1.78.1-150200.3.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.