Bugzilla – Bug 951727
VUL-0: CVE-2015-7940: bouncycastle: invalid curve attack
Last modified: 2015-11-04 16:17:41 UTC
bouncycastle versions older than 1.51 are vulnerable to an invalid curve attack as described in this article: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html The attack allows to extract private keys used in elliptic curve cryptography with a few thousands queries. According to upstream developer Peter Dettman, the issue has been fixed with those two commits: https://github.com/bcgit/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83 https://github.com/bcgit/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04 Maintained on openSUSE only, where it affects openSUSE 13.1, 13.2, Leap 42.1 and Tumbleweed. Related to CVE-2015-2613 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940 http://seclists.org/oss-sec/2015/q4/131
This is an autogenerated message for OBS integration: This bug (951727) was mentioned in https://build.opensuse.org/request/show/340552 Factory / bouncycastle
This is an autogenerated message for OBS integration: This bug (951727) was mentioned in https://build.opensuse.org/request/show/340559 13.2+13.1+Leap:42.1 / bouncycastle.openSUSE_Leap_42.1_Update+bouncycastle
openSUSE-SU-2015:1911-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 951727 CVE References: CVE-2015-7940 Sources used: openSUSE Leap 42.1 (src): bouncycastle-1.53-16.1 openSUSE 13.2 (src): bouncycastle-1.53-13.3.1 openSUSE 13.1 (src): bouncycastle-1.53-8.3.1