[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2016-1000338,bouncycastle: Will be fixed via DLA

Markus Koschany apo at debian.org
Sat Jul 7 10:32:25 BST 2018 

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
066a2e3a by Markus Koschany at 2018-07-07T11:25:55+02:00
CVE-2016-1000338,bouncycastle: Will be fixed via DLA

- - - - -
d4aea527 by Markus Koschany at 2018-07-07T11:29:46+02:00
CVE-2016-1000344,CVE-2016-1000352,bouncycastle: Ignored for Jessie

The ECB mode was simply removed and replaced in newer versions but the changes
are intrusive. The issue can be mitigated by using a different mode than ECB.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4235,6 +4235,7 @@ CVE-2017-18286 (nZEDb v0.7.3.3 has XSS in the 404 error page. ...)
 	NOT-FOR-US: nZEDb
 CVE-2016-1000352 (In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES ...)
 	- bouncycastle 1.56-1
+	[jessie] - bouncycastle <ignored> (Intrusive changes, can be mitigated by using a different mode than ECB)
 	NOTE: https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f
 CVE-2016-1000346 (In the Bouncy Castle JCE Provider version 1.55 and earlier the other ...)
 	- bouncycastle 1.56-1
@@ -4244,6 +4245,7 @@ CVE-2016-1000345 (In the Bouncy Castle JCE Provider version 1.55 and earlier the
 	NOTE: https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098
 CVE-2016-1000344 (In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES ...)
 	- bouncycastle 1.56-1
+	[jessie] - bouncycastle <ignored> (Intrusive changes, can be mitigated by using a different mode than ECB)
 	NOTE: https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f
 CVE-2018-11717
 	RESERVED
@@ -62240,7 +62242,6 @@ CVE-2016-1000360
 	REJECTED
 CVE-2016-1000338 (In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does ...)
 	- bouncycastle 1.56-1
-	[jessie] - bouncycastle <no-dsa> (Minor issue)
 	NOTE: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0
 CVE-2017-8829 (Deserialization vulnerability in lintian through 2.5.50.3 allows ...)
 	- lintian 2.5.50.4 (bug #861958)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0c3a39e7cc5e0d504ad64d663b588b140d7b32ca...d4aea527612c6a8c22ac4124969eadbbe6ad18bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0c3a39e7cc5e0d504ad64d663b588b140d7b32ca...d4aea527612c6a8c22ac4124969eadbbe6ad18bf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180707/7c91f205/attachment.html>

More information about the debian-security-tracker-commits mailing list