Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20151022102512.GA23523@home.ouaza.com>
Date: Thu, 22 Oct 2015 12:25:12 +0200
From: Raphael Hertzog <hertzog@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE Request: invalid curve attack on bouncycastle

Hello,

bouncycastle versions older than 1.51 are vulnerable to an
invalid curve attack as described in this article:
http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html

The attack allows to extract private keys used in elliptic curve
crytpography with a few thousands queries.

According to upstream developer Peter Dettman, the issue has been fixed
with those two commits:
https://github.com/bcgit/bc-java/commit/5cb2f05
https://github.com/bcgit/bc-java/commit/e25e94a

Could a CVE be assigned to this issue?

Thank you.

PS: Please CC me as I'm not subscribed.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.