Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8bb15640 by Markus Koschany at 2018-04-15T22:09:52+02:00 CVE-2018-5382,bouncycastle: Marks as ignored for Wheezy. This issue affects only the integrity verification of BKS keystore files. The keys are still protected. Whilst still a bug it is not serious enough to invest time into fixing it. - - - - - 28a2a9bc by Markus Koschany at 2018-04-15T22:13:56+02:00 Remove bouncycastle from dla-needed.txt - - - - - 3cd8a8b5 by Markus Koschany at 2018-04-15T22:14:18+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -12601,6 +12601,7 @@ CVE-2018-5383 CVE-2018-5382 [BKS-V1 keystore files vulnerable to trivial hash collisions] RESERVED - bouncycastle 1.48+dfsg-2 + [wheezy] - bouncycastle <ignored> (this only affects the integrity verification and not the content of the BKS keystore) NOTE: https://insights.sei.cmu.edu/cert/2018/03/the-curious-case-of-the-bouncy-castle-bks-passwords.html NOTE: https://www.kb.cert.org/vuls/id/306792 NOTE: Issue fixed in 1.47 upstream. The default MAC for a BKS key store was ===================================== data/dla-needed.txt ===================================== --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,8 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- -bouncycastle --- calibre NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking NOTE: 20180321: completely and invest the time to fix the Jessie version instead? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/63881146ecc18fbb60b13b7319ca32d84d896cab...3cd8a8b5fd95a1e56e9c8169c13fe8e05b4b6b24 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/63881146ecc18fbb60b13b7319ca32d84d896cab...3cd8a8b5fd95a1e56e9c8169c13fe8e05b4b6b24 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits