Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2015-7940

Published: 9 November 2015

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Notes

AuthorNote
mdeslaur
no reverse depends in main

Priority

Low

Status

Package Release Status
bouncycastle
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.57-1)
bionic Not vulnerable
(1.59-1)
precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was released [1.49+dfsg-2ubuntu0.1])
upstream
Released (1.51-1)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(1.51-4ubuntu1)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://github.com/bcgit/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83
upstream: https://github.com/bcgit/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04