[Git][security-tracker-team/security-tracker][master] CVE‐2025‐12194, bouncycastle: bullseye is ignored

Markus Koschany (@apo) apo at debian.org
Thu Oct 30 00:58:29 GMT 2025 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
953d6ee7 by Markus Koschany at 2025-10-30T00:52:52+01:00
CVE‐2025‐12194,bouncycastle: bullseye is ignored

The code has been re-factored multiple times and there are almost no
similarities in bullseye. I cannot rule out that older versions of bouncycastle
are not affected by this flaw though but by the nature of the CVE this is only
a potential denial-of-service caused by excessive resource consumption.
Backporting those changes is out-of-scope in my opinion and we have also marked
previous DoS CVE as ignored because the security impact is very vague. Hence I
think going with ignored for CVE-2025-12194 is a sensible approach.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1545,6 +1545,7 @@ CVE-2025-34293 (GN4 Publishing System versions prior to 2.6 contain an insecure
 	NOT-FOR-US: GN4 Publishing System
 CVE-2025-12194 (Uncontrolled Resource Consumption vulnerability in Legion of the Bounc ...)
 	- bouncycastle <unfixed> (bug #1118945)
+	[bullseye] - bouncycastle <ignored> (Minor issue)
 	NOTE: Fixed by: https://github.com/bcgit/bc-lts-java/commit/f2776feac0c30230f7a5ac34eb24f5019caf0324 (r2rv73dot8)
 	NOTE: Followup: https://github.com/bcgit/bc-lts-java/commit/2c9be6c64152ce48c6afc784c042a514be71ec71 (r2rv73dot8)
 	NOTE: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9012194



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953d6ee7ba2bec4126edd81d83890c9b4249a29e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953d6ee7ba2bec4126edd81d83890c9b4249a29e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251030/f7be0f9a/attachment.htm>

More information about the debian-security-tracker-commits mailing list