Bug 1096024 - (CVE-2016-1000346) VUL-0: CVE-2016-1000346: bouncycastle: other party DH public key is not fully validated
(CVE-2016-1000346)
VUL-0: CVE-2016-1000346: bouncycastle: other party DH public key is not fully...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/207243/
CVSSv2:NVD:CVE-2016-1000346:4.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-05 11:34 UTC by Alexander Bergmann
Modified: 2020-04-23 15:21 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-06-05 11:34:54 UTC
CVE-2016-1000346

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH
public key is not fully validated. This can cause issues as invalid keys can be
used to reveal details about the other party's private key where static
Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on
agreement calculation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937
Comment 1 Alexander Bergmann 2018-06-05 11:35:07 UTC
already fixed
Comment 2 Alexander Bergmann 2018-06-06 07:23:52 UTC
openSUSE Leap 42.3 is missing.
Comment 3 Swamp Workflow Management 2018-06-06 10:30:41 UTC
This is an autogenerated message for OBS integration:
This bug (1096024) was mentioned in
https://build.opensuse.org/request/show/614511 42.3 / bouncycastle
Comment 4 Swamp Workflow Management 2018-06-14 10:09:23 UTC
openSUSE-SU-2018:1689-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1072697,1095722,1095849,1095850,1095852,1095853,1095854,1096022,1096024,1096025,1096026
CVE References: CVE-2016-1000338,CVE-2016-1000339,CVE-2016-1000340,CVE-2016-1000341,CVE-2016-1000342,CVE-2016-1000343,CVE-2016-1000344,CVE-2016-1000345,CVE-2016-1000346,CVE-2016-1000352,CVE-2017-13098
Sources used:
openSUSE Leap 42.3 (src):    bouncycastle-1.59-23.3.1
Comment 5 Swamp Workflow Management 2018-07-19 11:10:32 UTC
This is an autogenerated message for OBS integration:
This bug (1096024) was mentioned in
https://build.opensuse.org/request/show/624022 Factory / bouncycastle
Comment 6 Swamp Workflow Management 2018-09-14 15:30:33 UTC
This is an autogenerated message for OBS integration:
This bug (1096024) was mentioned in
https://build.opensuse.org/request/show/635779 15.0 / bouncycastle
Comment 7 Alexandros Toptsoglou 2020-04-23 15:21:52 UTC
Leap 15.1 is not affected