Alerts This Week
Warning Icon 1 560
Alerts This Week
Warning Icon 1 560

openSUSE: 2018:1689-1 Moderate: BouncyCastle Timing Issues and Fixes

opensuse
Calendar Grey June 14, 2018
Dist Opensuse Esm H88
A new update for Fedora regarding libressl resolves 10 vulnerabilities that encompass side-channel exploits and security flaws in its encryption protocols.
An update that fixes 11 vulnerabilities is now available.

Description

This update for bouncycastle to version 1.59 fixes the following issues:

These security issues were fixed:

- CVE-2017-13098: BouncyCastle, when configured to use the JCE (Java

Cryptography Extension) for cryptographic functions, provided a weak

Bleichenbacher oracle when any TLS cipher suite using RSA key exchange

was negotiated. An attacker can recover the private key from a

vulnerable application. This vulnerability is referred to as "ROBOT"

(bsc#1072697).

- CVE-2016-1000338: Ensure full validation of ASN.1 encoding of signature

on verification. It was possible to inject extra elements in the

sequence making up the signature and still have it validate, which in

some cases may have allowed the introduction of 'invisible' data into a

signed structure (bsc#1095722).

- CVE-2016-1000339: Prevent AESEngine key information leak via lookup

table accesses (boo#1095853).

- CVE-2016-1000340: Preventcarry propagation bugs in...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate patch timing attack cryptography openSUSE bouncycastle

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-628=1

Package List

- openSUSE Leap 42.3 (noarch):

bouncycastle-1.59-23.3.1

bouncycastle-javadoc-1.59-23.3.1

References

https://www.suse.com/security/cve/CVE-2016-1000338.html

https://www.suse.com/security/cve/CVE-2016-1000339.html

https://www.suse.com/security/cve/CVE-2016-1000340.html

https://www.suse.com/security/cve/CVE-2016-1000341.html

https://www.suse.com/security/cve/CVE-2016-1000342.html

https://www.suse.com/security/cve/CVE-2016-1000343.html

https://www.suse.com/security/cve/CVE-2016-1000344.html

https://www.suse.com/security/cve/CVE-2016-1000345.html

https://www.suse.com/security/cve/CVE-2016-1000346.html

https://www.suse.com/security/cve/CVE-2016-1000352.html

https://www.suse.com/security/cve/CVE-2017-13098.html

https://bugzilla.suse.com/1072697

https://bugzilla.suse.com/1095722

https://bugzilla.suse.com/1095849

https://bugzilla.suse.com/1095850

https://bugzilla.suse.com/1095852

https://bugzilla.suse.com/1095853

https://bugzilla.suse.com/1095854

https://bugzilla.suse.com/1096022

https://bugzilla.suse.com/1096024

https://bugzilla.suse.com/1096025

https://bugzilla.suse.com/1096026

--

Announcement ID: openSUSE-SU-2018:1689-1
Rating: moderate
Affected Products: openSUSE Leap 42.3

Topics%20covered

Topics Covered

security advisory moderate patch timing attack cryptography openSUSE bouncycastle

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here