Public bug reported: The version of BouncyCastle available on Xenial is affected by multiple security vulnerabilities:
https://people.canonical.com/~ubuntu-security/cve/CVE-2015-6644 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000338 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000339 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000340 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000341 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000342 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000343 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000344 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000345 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000346 https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000352 I guess that the options are: - Apply the two missing patches in Bionic version: https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000180 https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000613 And backport it to Xenial. - Using the version with the security patches from Debian Stretch (1.56): https://metadata.ftp- master.debian.org/changelogs//main/b/bouncycastle/bouncycastle_1.56-1+deb9u2_changelog ** Affects: bouncycastle (Ubuntu) Importance: Undecided Status: New ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-6644 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000338 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000339 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000340 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000341 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000342 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000343 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000344 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000345 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000346 ** CVE added: https://cve.mitre.org/cgi- bin/cvename.cgi?name=2016-1000352 ** Summary changed: - Version 1.51 affected by multiple vulnerabilitites + Version 1.51 affected by multiple security vulnerabilitites -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836175 Title: Version 1.51 affected by multiple security vulnerabilitites To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bouncycastle/+bug/1836175/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
