subject:"Bug#780102\: libjbcrypt\-java\: CVE\-2015\-0886"

Bug#780102: libjbcrypt-java: CVE-2015-0886

2015-03-09 Thread Emmanuel Bourg

Thank you for the report Moritz.

According to the Bugzilla report the issue happens when BCrypt.gensalt()
is called with the value 31. jenkins is the only package using this
library and it calls this method with no parameter [1], the default
value being 10 [2].

So I don't think this issue is critical for Jessie.

Emmanuel Bourg

[1]
https://sources.debian.net/src/jenkins/1.565.3-3/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java/#L645
[2] https://sources.debian.net/src/libjbcrypt-java/0.3-4/BCrypt.java/#L66

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: libjbcrypt-java: CVE-2015-0886

2015-03-09 Thread Moritz Muehlenhoff

Package: libjbcrypt-java
Severity: grave
Tags: security
Justification: user security hole

Hi,
please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0886
http://www.mindrot.org/projects/jBCrypt/news/rel04.html
https://bugzilla.mindrot.org/show_bug.cgi?id=2097

Cheers,
 Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#780102: libjbcrypt-java: CVE-2015-0886

Bug#780102: libjbcrypt-java: CVE-2015-0886

2 matches

Site Navigation

Mail list logo

Footer information