{"id":"MGASA-2018-0376","summary":"Updated bouncycastle packages fix security vulnerabilities","details":"Updated bouncycastle packages fix security vulnerabilities:\n\nEnsure full validation of ASN.1 encoding of signature on verification.\nIt was possible to inject extra elements in the sequence making up the\nsignature and still have it validate, which in some cases may have\nallowed the introduction of 'invisible' data into a signed structure\n(CVE-2016-1000338).\n\nPrevent AESEngine key information leak via lookup table accesses\n(CVE-2016-1000339).\n\nPreventcarry propagation bugs in the implementation of squaring for\nseveral raw math classes (CVE-2016-1000340).\n\nDSA signature generation was vulnerable to timing attack. Where timings\ncan be closely observed for the generation of signatures may have allowed\nan attacker to gain information about the signature's k value and\nultimately the private value as well (CVE-2016-1000341).\n\nEnsure that ECDSA does fully validate ASN.1 encoding of signature on\nverification. It was possible to inject extra elements in the sequence\nmaking up the signature and still have it validate, which in some cases\nmay have allowed the introduction of 'invisible' data into a signed\nstructure (CVE-2016-1000342).\n\nPrevent weak default settings for private DSA key pair generation\n(CVE-2016-1000343).\n\nRemoved DHIES from the provider to disable the unsafe usage of ECB mode\n(CVE-2016-1000344).\n\nThe DHIES/ECIES CBC mode was vulnerable to padding oracle attack. In an\nenvironment where timings can be easily observed, it was possible with\nenough observations to identify when the decryption is failing due to\npadding (CVE-2016-1000345).\n\nThe other party DH public key was not fully validated. This could have\ncaused issues as invalid keys could be used to reveal details about the\nother party's private key where static Diffie-Hellman is in use\n(CVE-2016-1000346).\n\nRemove ECIES from the provider to disable the unsafe usage of ECB mode\n(CVE-2016-1000352).\n\nBouncyCastle, when configured to use the JCE (Java Cryptography Extension)\nfor cryptographic functions, provided a weak Bleichenbacher oracle when\nany TLS cipher suite using RSA key exchange was negotiated. An attacker\ncan recover the private key from a vulnerable application. This\nvulnerability is referred to as \"ROBOT\" (CVE-2017-13098).\n\nIt was discovered that the low-level interface to the RSA key pair\ngenerator of Bouncy Castle (a Java implementation of cryptographic\nalgorithms) could perform less Miller-Rabin primality tests than expected\n(CVE-2018-1000180).\n\nFix use of Externally-Controlled Input to Select Classes or Code\n('Unsafe Reflection') (CVE-2018-1000613).\n","modified":"2026-04-16T01:46:35.569923068Z","published":"2018-09-20T23:17:55Z","upstream":["CVE-2016-1000338","CVE-2016-1000339","CVE-2016-1000340","CVE-2016-1000341","CVE-2016-1000342","CVE-2016-1000343","CVE-2016-1000344","CVE-2016-1000345","CVE-2016-1000346","CVE-2016-1000352","CVE-2017-13098","CVE-2018-1000180","CVE-2018-1000613"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0376.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22197"},{"type":"WEB","url":"https://www.debian.org/security/2018/dsa-4233"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2018-06/msg00085.html"},{"type":"WEB","url":"https://lists.opensuse.org/opensuse-updates/2018-07/msg00089.html"}],"affected":[{"package":{"name":"bouncycastle","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/bouncycastle?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.60-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0376.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}