Your message dated Mon, 04 Jan 2021 05:18:24 +0000
with message-id <[email protected]>
and subject line Bug#977683: fixed in bouncycastle 1.65-2
has caused the Debian Bug report #977683,
regarding bouncycastle: CVE-2020-28052
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
977683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977683
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: bouncycastle
Version: 1.65-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for bouncycastle, it affects
1.65 and 1.66 and is fixed in 1.67.
CVE-2020-28052[0]:
| An issue was discovered in Legion of the Bouncy Castle BC Java 1.65
| and 1.66. The OpenBSDBCrypt.checkPassword utility method compared
| incorrect data when checking the password, allowing incorrect
| passwords to indicate they were matching with previously hashed ones
| that were different.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-28052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052
[1] https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
[2]
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
[3]
https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bouncycastle
Source-Version: 1.65-2
Done: tony mancill <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <[email protected]> (supplier of updated bouncycastle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Jan 2021 18:39:32 -0800
Source: bouncycastle
Architecture: source
Version: 1.65-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: tony mancill <[email protected]>
Closes: 977683
Changes:
bouncycastle (1.65-2) unstable; urgency=medium
.
* Team upload
* Corrected constant time equals (CVE-2020-28052) (Closes: #977683)
Thank you to Salvatore Bonaccorso for the patch.
* Bump Standards-Version to 4.5.1
* Use https URLs in copyright, control and watch
* Use debhelper-compat 13
* Set Rules-Requires-Root: no in debian/control
Checksums-Sha1:
6187686ad8648351869a947960e09f60632ffd8b 2509 bouncycastle_1.65-2.dsc
2f07e72cb141bc8e03e7265b5570b63340a4f73e 11068
bouncycastle_1.65-2.debian.tar.xz
9cc5effd367df4c77944a29d907b88dcef695c20 12810
bouncycastle_1.65-2_amd64.buildinfo
Checksums-Sha256:
5bc98cb04a1326bb266a8f6ed39cc7c0be0e4ce017b9e906622dd041a1ab94b0 2509
bouncycastle_1.65-2.dsc
0d0eded8c4616d21851f75e8d31714256b8370a25c7f71bb04e326203e08f63e 11068
bouncycastle_1.65-2.debian.tar.xz
17881014575afe4f5a4b81ee76a96a15973a7265e70b5a3cdfe575a555775197 12810
bouncycastle_1.65-2_amd64.buildinfo
Files:
0ce26ef783b0936c94707b9a83b09a48 2509 java optional bouncycastle_1.65-2.dsc
9da01d2e0127f8a290d49c6408011056 11068 java optional
bouncycastle_1.65-2.debian.tar.xz
990fb7d49f748139ea071fa1d15921d2 12810 java optional
bouncycastle_1.65-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAl/yoGwUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpb/eA//Z2dm9OL1mzTY6bE/beTtvEHicJPN
2cmCTZm277fH8Fr16FAgj5DkG/3H7ji+fBLLHOKWCOZG7uqPgwtQ2SlTABQPXbQj
6ev5wrRyEYHwjG3IVB4AsFvl0NrUTkkmbPvnDr9fgLfhuFBRM5377CSsvkfCBNlD
nvU6hIzAQcM89EOMDVp0YjgWMxd8VxWMM24uzqjOENrG+Q1aIZZIUrPf58CrmWlq
/tT3Z/6Zb7UiXNh6pCAa0Yua/lYaZD3gb5Bt3YzPWiV9cvITk1cGD9TKGhkyvfGY
snhnZVGNLp7hb4VTp3ntZBu145ZhLtVnI3T9MQ1iANJrkLjIgUrK0wPB6RCTggAx
OhF2Hjh+XZjHM6qRUyzmiNByHh9bTLnJv4/bqKjerHokItBgtcHNZ96oFgLswyB7
CFHRxzLNM6CSoestdo9zIqA4smMTlziUQPAHVr/qIB/zFRMWYwmpEWswp6gYbeWj
54g2mnAadCXvJtN/jXxSf4q5Wz3JnOnkylZUozyrvW6ppbBuuHMSVcf49qUe5RHB
fIpRC4kqo4wBPuRtvcEy5W06VblnOpI95zRHa+5coyaht38ub17k7IQhfYKj1E93
HfDUhqBj9tLSAPc7IjJUKe9woaHbNVhAphqdRHxqAhBlQTC7xoMkFxR/txkRRdAP
KRxv61C01Xhi0VU=
=wdr6
-----END PGP SIGNATURE-----
--- End Message ---