Bug 1072697 - (CVE-2017-13098) VUL-0: CVE-2017-13098: bouncycastle: TLS server vulnerable to Adaptive Chosen Ciphertext attack when using JCE allowing plaintext recovery or MITM attack
(CVE-2017-13098)
VUL-0: CVE-2017-13098: bouncycastle: TLS server vulnerable to Adaptive Chosen...
Status: RESOLVED INVALID
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Other
Leap 42.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/196499/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-13 16:16 UTC by Marcus Meissner
Modified: 2020-05-03 22:17 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2017-12-13 16:16:44 UTC
Bouncy Castle (CVE-2017-13098):
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
1.59 beta 9 contains the fix:
https://downloads.bouncycastle.org/betas/
Comment 2 Marcus Meissner 2017-12-13 16:19:11 UTC
bouncycastle package is on openSUSE Leap only.
Comment 3 Tomáš Chvátal 2017-12-13 20:01:00 UTC
Java is for Pedro these days :)
Comment 4 Pedro Monreal Gonzalez 2017-12-14 12:11:54 UTC
I believe we are not affected by this bug since we are packaging the "JCE with provider and lightweight API" version (bcprov-jdk15on-158.tar.gz) and the affected code is in the "DTLS/TLS API/JSSE Provider" version (bctls-jdk15on-159b09.tar.gz), that we are not packaging. See the download site:

http://polydistortion.net/bc/index.html
Comment 6 Marcus Meissner 2018-01-18 08:17:05 UTC
ok
Comment 7 Swamp Workflow Management 2018-06-06 10:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1072697) was mentioned in
https://build.opensuse.org/request/show/614511 42.3 / bouncycastle
Comment 8 Swamp Workflow Management 2018-06-14 10:08:05 UTC
openSUSE-SU-2018:1689-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1072697,1095722,1095849,1095850,1095852,1095853,1095854,1096022,1096024,1096025,1096026
CVE References: CVE-2016-1000338,CVE-2016-1000339,CVE-2016-1000340,CVE-2016-1000341,CVE-2016-1000342,CVE-2016-1000343,CVE-2016-1000344,CVE-2016-1000345,CVE-2016-1000346,CVE-2016-1000352,CVE-2017-13098
Sources used:
openSUSE Leap 42.3 (src):    bouncycastle-1.59-23.3.1
Comment 9 Swamp Workflow Management 2018-07-19 11:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1072697) was mentioned in
https://build.opensuse.org/request/show/624019 15.0 / bouncycastle
Comment 10 Swamp Workflow Management 2018-07-28 14:04:39 UTC
openSUSE-SU-2018:2131-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1072697,1100694
CVE References: CVE-2017-13098,CVE-2018-1000613
Sources used:
openSUSE Leap 15.0 (src):    bouncycastle-1.60-lp150.2.3.1
Comment 11 Swamp Workflow Management 2020-04-29 13:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1072697) was mentioned in
https://build.opensuse.org/request/show/798905 15.1 / bouncycastle
Comment 12 Swamp Workflow Management 2020-05-03 22:17:43 UTC
openSUSE-SU-2020:0607-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1072697,1100694
CVE References: CVE-2017-13098,CVE-2018-1000613
Sources used:
openSUSE Leap 15.1 (src):    bouncycastle-1.60-lp151.3.3.1