Your message dated Sun, 17 Dec 2017 21:19:23 +0000
with message-id <e1eqgld-0006os...@fasolo.debian.org>
and subject line Bug#884241: fixed in bouncycastle 1.58-1
has caused the Debian Bug report #884241,
regarding bouncycastle: CVE-2017-13098
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
884241: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884241
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bouncycastle
Version: 1.57-1
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerability was published for bouncycastle.

CVE-2017-13098[0]:
| Information leak by distinguish valid and invalid RSA PKCS #1 v1.5
| paddings based on different server responses.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-13098
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098
[1] 
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
[2] https://downloads.bouncycastle.org/betas/
[3] https://www.kb.cert.org/vuls/id/144389

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: bouncycastle
Source-Version: 1.58-1

We believe that the bug you reported is fixed in the latest version of
bouncycastle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated bouncycastle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 17 Dec 2017 20:32:38 +0100
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc 
libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source
Version: 1.58-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
 libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS 
(Documenta
 libbcpg-java - Bouncy Castle generators/processors for OpenPGP
 libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP 
(Documentation)
 libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, 
CMP,
 libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... 
(Document
 libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
 libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider 
(Documentation)
Closes: 884241
Changes:
 bouncycastle (1.58-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream version 1.58.
   * Declare compliance with Debian Policy 4.1.2.
   * Apply CVE-2017-13098.patch and fix CVE-2017-13098.
     Thanks to Salvatore Bonaccorso for the report. (Closes: #884241)
Checksums-Sha1:
 88c9c589553a24ccfd711276959d90666a6639c7 2689 bouncycastle_1.58-1.dsc
 20b5f05d8d7f331d77a2d2a70996f2b7ca499821 12145176 bouncycastle_1.58.orig.tar.xz
 acdc54e688b62a67564c44f0c26ff3116fa362b0 10440 
bouncycastle_1.58-1.debian.tar.xz
 05d5154d90914683976ec032f811c33ef075ee89 13774 
bouncycastle_1.58-1_amd64.buildinfo
Checksums-Sha256:
 1cabe2850e5cd0717c1c9ac2051421ec2fa2b6718ad993bdb345c7b9152d9758 2689 
bouncycastle_1.58-1.dsc
 9df97df679ea63cde67c20126bc08c51e90f310da335e9cea1df8fca88b36f79 12145176 
bouncycastle_1.58.orig.tar.xz
 99ecb6f1e88d00a1855371fe04233a706930f4a296c28732e4756da38f020b57 10440 
bouncycastle_1.58-1.debian.tar.xz
 5c86eed4b61ac84b5f8e37013972c22e147dd15fd369679a940d033e66f0cd1a 13774 
bouncycastle_1.58-1_amd64.buildinfo
Files:
 1041326bcc7cf76363bf7ac7cfa3d7af 2689 java optional bouncycastle_1.58-1.dsc
 a368811cb38c8a5555592861f2171b72 12145176 java optional 
bouncycastle_1.58.orig.tar.xz
 c3cedde5b29e38e45247471a0e66ee9f 10440 java optional 
bouncycastle_1.58-1.debian.tar.xz
 405549d011f5770584fc2d5e73e5d9be 13774 java optional 
bouncycastle_1.58-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlo22GlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkD9oP/2wLwjHawYyMceLvbIfOrQTdaBH+/3KxU4LP
WdNx/jIN/TlmRSN4vaiPmAiJHKNKunx09lcPwU7k1N/0JMIyzA1TEU3ckGWkRs7K
2qqbEaQXj4haLYlqHfv6rJ44QdWI06qJ1rX2HDCnxexTqH5pWU4ZpjWQHM2+zrqI
jsivq3uGW2AG/1j7UHgZ8AAsuRP+ydV3HPXeZIEabxrWOqotKi7O3WjZU29XCJyO
h2pv/39Eo1NBwDpkg483nNVpKqk5d0fxP6lphaBb5MYQjPPQo3AcMLQiDayOVr7h
J3PJZ3Usywotyg7ZWgXx3rFmLtJ0jZc8fipPdGAiOWCz+3OPnafRjbJtVRMW6aIK
rCBWjQl3GnyFUGWsi4KRFoPxTW0J6ZGTZ6y36qZ3hUgbG1zl+POGuDtyZDOMjB5K
73n9BKqb7Boklu6B1tLhNkd0lxQIzUsmC/VRZ7sBgjExbbBfL2E5/dL8+0TkF3qr
OSEYmU8w/hz7YjqtXsAVil1YX5v+BKSoUfQEoXKX/zYmJWkW3koav5Tubrv/bbjT
5L+5XQFlq/kAmhZKJuPI1y9LrHSib34j93ltNcF1obqBGQApkXh0/1P2CyRS+YSN
DF5BLvBh0l3Q6LdWFqYuGbjEnKlRAkiC35zYbbwpXWAG1naQoR9gCMUYk5+XiEfj
LBsQQW+C
=qXGp
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to