Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Oct 2015 12:25:12 +0200
From: Raphael Hertzog <>
Subject: CVE Request: invalid curve attack on bouncycastle


bouncycastle versions older than 1.51 are vulnerable to an
invalid curve attack as described in this article:

The attack allows to extract private keys used in elliptic curve
crytpography with a few thousands queries.

According to upstream developer Peter Dettman, the issue has been fixed
with those two commits:

Could a CVE be assigned to this issue?

Thank you.

PS: Please CC me as I'm not subscribed.
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS:
Learn to master Debian:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.