Bugzilla – Bug 1223926
VUL-0: CVE-2024-34447: bouncycastle: use of incorrectly-resolved name or reference
Last modified: 2024-05-21 11:20:10 UTC
An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning. References: https://www.bouncycastle.org/latest_releases.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34447 https://www.cve.org/CVERecord?id=CVE-2024-34447 https://bugzilla.redhat.com/show_bug.cgi?id=2279227
(In reply to SMASH SMASH from comment #0) > An issue was discovered in Bouncy Castle Java Cryptography APIs before BC > 1.78. We have: - SUSE:SLE-15-SP2:Update/bouncycastle 1.77 - SUSE:ALP:Source:Standard:1.0/bouncycastle 1.77 - openSUSE:Factory/bouncycastle 1.78
Factory now has 1.78.1. Submission for SLE-15-SP2 is now handled here: https://smelt.suse.de/incident/33611/ Submission for SUSE:ALP:Source:Standard:1.0 is here: https://build.suse.de/request/show/328363 Submission for the new SUSE:SLFO:Main is here: https://build.suse.de/request/show/328845 The backports to SLE-15-SP0 and SLE-12 are under way.
According to the issue [0] mentioned in upstream advisory [1], the first version affected by this CVE is 1.61 and we have: * SLE-15-SP0: version 1.58 * SLE-12: version 1.46 So, nothing else to be fixed here since a version update for SLE-15-SP2, SUSE:ALP:Source:Standard:1.0 and SUSE:SLFO:Main has been submitted recently by Fridrich. [0] https://github.com/bcgit/bc-java/issues/1656 [1] https://github.com/bcgit/bc-java/wiki/CVE-2024-34447