Your submission was sent successfully! Close

CVE-2015-7940

Published: 9 November 2015

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Priority

Low

Status

Package Release Status
bouncycastle
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.57-1)
bionic Not vulnerable
(1.59-1)
precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was released [1.49+dfsg-2ubuntu0.1])
upstream
Released (1.51-1)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Not vulnerable
(1.51-4ubuntu1)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)