Ubuntu
bouncycastle package

Version 1.51 affected by multiple security vulnerabilitites

Bug #1836175 reported by Marc Peña on 2019-07-11

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	bouncycastle (Ubuntu)	New	Undecided	Unassigned

Bug Description

The version of BouncyCastle available on Xenial is affected by multiple security vulnerabilities:

https://people.canonical.com/~ubuntu-security/cve/CVE-2015-6644
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000338
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000339
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000340
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000341
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000342
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000343
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000344
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000345
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000346
https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1000352

I guess that the options are:
- Apply the two missing patches in Bionic version:
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000180
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000613
And backport it to Xenial.

- Using the version with the security patches from Debian Stretch (1.56): https://metadata.ftp-master.debian.org/changelogs//main/b/bouncycastle/bouncycastle_1.56-1+deb9u2_changelog

CVE References

Marc Peña (pachulo) on 2019-07-11

summary:

- Version 1.51 affected by multiple vulnerabilitites
+ Version 1.51 affected by multiple security vulnerabilitites

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.