Hi All, We are pleased to announce the release of version 1.8.1 of the BouncyCastle C# Crypto API. The main changes are to address CVE-2015-7575. From the release notes:
"(D)TLS 1.2: Motivated by CVE-2015-7575, we have added validation that the signature algorithm received in DigitallySigned structures is actually one of those offered (in signature_algorithms extension or CertificateRequest). With our default TLS configuration, we do not believe there is an exploitable vulnerability in any earlier releases. Users that are customizing the signature_algorithms extension, or running a server supporting client authentication, are advised to double-check that they are not offering any signature algorithms involving MD5." The release also fixes issues with DTLS record-layer version handling and adds support for ASN.1 GraphicString and VideotexString. We encourage all users of the library to upgrade to this version. Please visit http://www.bouncycastle.org/csharp/ for the release notes and to download the .NET 1.1 assembly or the source code. Also see http://www.bouncycastle.org/jira/secure/ReleaseNote.jspa?projectId=10001&version=10510 and https://github.com/bcgit/bc-csharp/pulls?q=is%3Apr+is%3Aclosed for details of resolved issues. If you are interested in tracking code changes, our git repositories are mirrored to github: https://github.com/bcgit . If you are interested in donating to the project, you can find the details on how to donate via PayPal or Bitcoin, at: https://www.bouncycastle.org/donate If you prefer to use direct bank transfer please feel free to discuss it with us by contacting us at off...@bouncycastle.org and we'll be happy to help. The Legion of the Bouncy Castle is a registered Australian charity based in the State of Victoria, Australia. If you wish to sponsor specific work on Bouncy Castle or get a commercial support contract for the APIs please contact us at Crypto Workshop ( http://www.cryptoworkshop.com ). Remember, you can also follow this project on Facebook ( https://www.facebook.com/legionofthebouncycastle ), Google+ ( https://plus.google.com/+BouncycastleOrgAPIs/posts ) and/or Twitter ( https://twitter.com/bccrypto ). Regards, Pete Dettman
