Bugzilla – Bug 1096024
VUL-0: CVE-2016-1000346: bouncycastle: other party DH public key is not fully validated
Last modified: 2020-04-23 15:21:52 UTC
CVE-2016-1000346 In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000346 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346 https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937
already fixed
openSUSE Leap 42.3 is missing.
This is an autogenerated message for OBS integration: This bug (1096024) was mentioned in https://build.opensuse.org/request/show/614511 42.3 / bouncycastle
openSUSE-SU-2018:1689-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1072697,1095722,1095849,1095850,1095852,1095853,1095854,1096022,1096024,1096025,1096026 CVE References: CVE-2016-1000338,CVE-2016-1000339,CVE-2016-1000340,CVE-2016-1000341,CVE-2016-1000342,CVE-2016-1000343,CVE-2016-1000344,CVE-2016-1000345,CVE-2016-1000346,CVE-2016-1000352,CVE-2017-13098 Sources used: openSUSE Leap 42.3 (src): bouncycastle-1.59-23.3.1
This is an autogenerated message for OBS integration: This bug (1096024) was mentioned in https://build.opensuse.org/request/show/624022 Factory / bouncycastle
This is an autogenerated message for OBS integration: This bug (1096024) was mentioned in https://build.opensuse.org/request/show/635779 15.0 / bouncycastle
Leap 15.1 is not affected