From 37328465741f5969921317639b22ba46ce3f3391f29f8b63aa33b42d5af27c13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 19 Jul 2018 10:27:49 +0000 Subject: [PATCH 1/3] - Version update to 1.60 bsc#1100694: * CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code * Release notes: http://www.bouncycastle.org/releasenotes.html OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=40 --- bcprov-jdk15on-1.59.pom => bcprov-jdk15on-1.60.pom | 2 +- bcprov-jdk15on-159.tar.gz | 3 --- bcprov-jdk15on-160.tar.gz | 3 +++ bouncycastle.changes | 8 ++++++++ bouncycastle.spec | 4 ++-- 5 files changed, 14 insertions(+), 6 deletions(-) rename bcprov-jdk15on-1.59.pom => bcprov-jdk15on-1.60.pom (97%) delete mode 100644 bcprov-jdk15on-159.tar.gz create mode 100644 bcprov-jdk15on-160.tar.gz diff --git a/bcprov-jdk15on-1.59.pom b/bcprov-jdk15on-1.60.pom similarity index 97% rename from bcprov-jdk15on-1.59.pom rename to bcprov-jdk15on-1.60.pom index 880255d..685d22f 100644 --- a/bcprov-jdk15on-1.59.pom +++ b/bcprov-jdk15on-1.60.pom @@ -5,7 +5,7 @@ bcprov-jdk15on jar Bouncy Castle Provider - 1.59 + 1.60 The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8. http://www.bouncycastle.org/java.html diff --git a/bcprov-jdk15on-159.tar.gz b/bcprov-jdk15on-159.tar.gz deleted file mode 100644 index ada8dfe..0000000 --- a/bcprov-jdk15on-159.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1277950662009c57575ad11f696a2824e6c8866f8f1331dd9b7b180b8697c91a -size 9065780 diff --git a/bcprov-jdk15on-160.tar.gz b/bcprov-jdk15on-160.tar.gz new file mode 100644 index 0000000..9545507 --- /dev/null +++ b/bcprov-jdk15on-160.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92c042beb96bffec0890778ab036ac14d16f35da2ef21eaef8d8d23f340ee686 +size 9207686 diff --git a/bouncycastle.changes b/bouncycastle.changes index b9326f1..31d63b2 100644 --- a/bouncycastle.changes +++ b/bouncycastle.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jul 19 10:24:12 UTC 2018 - tchvatal@suse.com + +- Version update to 1.60 bsc#1100694: + * CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code + * Release notes: + http://www.bouncycastle.org/releasenotes.html + ------------------------------------------------------------------- Mon Jun 11 12:32:43 UTC 2018 - abergmann@suse.com diff --git a/bouncycastle.spec b/bouncycastle.spec index 1afd313..30ec4c1 100644 --- a/bouncycastle.spec +++ b/bouncycastle.spec @@ -16,8 +16,8 @@ # -%define ver 1.59 -%define shortver 159 +%define ver 1.60 +%define shortver 160 %define archivever jdk15on-%{shortver} %define classname org.bouncycastle.jce.provider.BouncyCastleProvider Name: bouncycastle From 090feffdfa905403e2d162c5034cdd3c8c6cdf1699dd083a2ef60cd61dfa0b18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 19 Jul 2018 10:29:31 +0000 Subject: [PATCH 2/3] * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of signature on verification (boo#1095722). * CVE-2016-1000339: Fix AESEngine key information leak via lookup table accesses (boo#1095853). * CVE-2016-1000340: Fix carry propagation bugs in the implementation of squaring for several raw math classes (boo#1095854). * CVE-2016-1000341: Fix DSA signature generation vulnerability to timing attack (boo#1095852). * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of signature on verification (boo#1095850). * CVE-2016-1000343: Fix week default settings for private DSA key pair generation (boo#1095849). * CVE-2016-1000344: Remove DHIES from the provider to disable the unsafe usage of ECB mode (boo#1096026). * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle attack (boo#1096025). * CVE-2016-1000346: Fix other party DH public key validation (boo#1096024). * CVE-2016-1000352: Remove ECIES from the provider to disable the unsafe usage of ECB mode (boo#1096022). OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=41 --- bouncycastle.changes | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/bouncycastle.changes b/bouncycastle.changes index 31d63b2..ceb0cc2 100644 --- a/bouncycastle.changes +++ b/bouncycastle.changes @@ -12,6 +12,27 @@ Mon Jun 11 12:32:43 UTC 2018 - abergmann@suse.com - Version update to 1.59: * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). + * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of + signature on verification (boo#1095722). + * CVE-2016-1000339: Fix AESEngine key information leak via lookup + table accesses (boo#1095853). + * CVE-2016-1000340: Fix carry propagation bugs in the + implementation of squaring for several raw math classes + (boo#1095854). + * CVE-2016-1000341: Fix DSA signature generation vulnerability to + timing attack (boo#1095852). + * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of + signature on verification (boo#1095850). + * CVE-2016-1000343: Fix week default settings for private DSA key + pair generation (boo#1095849). + * CVE-2016-1000344: Remove DHIES from the provider to disable the + unsafe usage of ECB mode (boo#1096026). + * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle + attack (boo#1096025). + * CVE-2016-1000346: Fix other party DH public key validation + (boo#1096024). + * CVE-2016-1000352: Remove ECIES from the provider to disable the + unsafe usage of ECB mode (boo#1096022). * Release notes: http://www.bouncycastle.org/releasenotes.html - Removed patch: From 8251734ae4bde2f7f571004b275563bbb5c7131dc8b312916916a42c6783e24e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 19 Jul 2018 10:30:58 +0000 Subject: [PATCH 3/3] - Version update to 1.59: * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of signature on verification (boo#1095722). * CVE-2016-1000339: Fix AESEngine key information leak via lookup table accesses (boo#1095853). * CVE-2016-1000340: Fix carry propagation bugs in the implementation of squaring for several raw math classes (boo#1095854). * CVE-2016-1000341: Fix DSA signature generation vulnerability to timing attack (boo#1095852). * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of signature on verification (boo#1095850). * CVE-2016-1000343: Fix week default settings for private DSA key pair generation (boo#1095849). * CVE-2016-1000344: Remove DHIES from the provider to disable the unsafe usage of ECB mode (boo#1096026). * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle attack (boo#1096025). * CVE-2016-1000346: Fix other party DH public key validation (boo#1096024). * CVE-2016-1000352: Remove ECIES from the provider to disable the unsafe usage of ECB mode (boo#1096022). - bumb target to 1.6 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=42 --- bouncycastle.changes | 46 ++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/bouncycastle.changes b/bouncycastle.changes index ceb0cc2..11f233e 100644 --- a/bouncycastle.changes +++ b/bouncycastle.changes @@ -9,30 +9,30 @@ Thu Jul 19 10:24:12 UTC 2018 - tchvatal@suse.com ------------------------------------------------------------------- Mon Jun 11 12:32:43 UTC 2018 - abergmann@suse.com -- Version update to 1.59: +- Version update to 1.59: * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). - * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of - signature on verification (boo#1095722). - * CVE-2016-1000339: Fix AESEngine key information leak via lookup - table accesses (boo#1095853). - * CVE-2016-1000340: Fix carry propagation bugs in the - implementation of squaring for several raw math classes - (boo#1095854). - * CVE-2016-1000341: Fix DSA signature generation vulnerability to - timing attack (boo#1095852). - * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of - signature on verification (boo#1095850). - * CVE-2016-1000343: Fix week default settings for private DSA key - pair generation (boo#1095849). - * CVE-2016-1000344: Remove DHIES from the provider to disable the - unsafe usage of ECB mode (boo#1096026). - * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle - attack (boo#1096025). - * CVE-2016-1000346: Fix other party DH public key validation - (boo#1096024). - * CVE-2016-1000352: Remove ECIES from the provider to disable the - unsafe usage of ECB mode (boo#1096022). + * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of + signature on verification (boo#1095722). + * CVE-2016-1000339: Fix AESEngine key information leak via lookup + table accesses (boo#1095853). + * CVE-2016-1000340: Fix carry propagation bugs in the + implementation of squaring for several raw math classes + (boo#1095854). + * CVE-2016-1000341: Fix DSA signature generation vulnerability to + timing attack (boo#1095852). + * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of + signature on verification (boo#1095850). + * CVE-2016-1000343: Fix week default settings for private DSA key + pair generation (boo#1095849). + * CVE-2016-1000344: Remove DHIES from the provider to disable the + unsafe usage of ECB mode (boo#1096026). + * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle + attack (boo#1096025). + * CVE-2016-1000346: Fix other party DH public key validation + (boo#1096024). + * CVE-2016-1000352: Remove ECIES from the provider to disable the + unsafe usage of ECB mode (boo#1096022). * Release notes: http://www.bouncycastle.org/releasenotes.html - Removed patch: @@ -124,7 +124,7 @@ Wed Aug 28 08:25:18 UTC 2013 - mvyskocil@suse.com ------------------------------------------------------------------- Fri May 18 12:39:28 UTC 2012 - mvyskocil@suse.cz -- bumb target to 1.6 +- bumb target to 1.6 ------------------------------------------------------------------- Mon Jan 16 14:19:33 UTC 2012 - mvyskocil@suse.cz