[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-5382,bouncycastle: Marks as ignored for Wheezy.

Sun, 15 Apr 2018 13:14:55 -0700 

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8bb15640 by Markus Koschany at 2018-04-15T22:09:52+02:00
CVE-2018-5382,bouncycastle: Marks as ignored for Wheezy.

This issue affects only the integrity verification of BKS keystore files. The
keys are still protected. Whilst still a bug it is not serious enough to invest
time into fixing it.

- - - - -
28a2a9bc by Markus Koschany at 2018-04-15T22:13:56+02:00
Remove bouncycastle from dla-needed.txt

- - - - -
3cd8a8b5 by Markus Koschany at 2018-04-15T22:14:18+02:00
Merge branch 'master' of 
salsa.debian.org:security-tracker-team/security-tracker

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -12601,6 +12601,7 @@ CVE-2018-5383
 CVE-2018-5382 [BKS-V1 keystore files vulnerable to trivial hash collisions]
        RESERVED
        - bouncycastle 1.48+dfsg-2
+       [wheezy] - bouncycastle <ignored> (this only affects the integrity 
verification and not the content of the BKS keystore)
        NOTE: 
https://insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html
        NOTE: https://www.kb.cert.org/vuls/id/306792
        NOTE: Issue fixed in 1.47 upstream. The default MAC for a BKS key store 
was


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,8 +12,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 --
 apache2 (Roberto C. Sánchez)
 --
-bouncycastle
---
 calibre
   NOTE: 20180321: Instead of replacing pickle with json, maybe disable 
bookmarking
   NOTE: 20180321: completely and invest the time to fix the Jessie version 
instead?



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/63881146ecc18fbb60b13b7319ca32d84d896cab...3cd8a8b5fd95a1e56e9c8169c13fe8e05b4b6b24

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/63881146ecc18fbb60b13b7319ca32d84d896cab...3cd8a8b5fd95a1e56e9c8169c13fe8e05b4b6b24
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to