Your submission was sent successfully! Close

CVE-2016-1000338

Published: 1 June 2018

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
bouncycastle
Launchpad, Ubuntu, Debian
artful Not vulnerable
(1.57-1)
bionic Not vulnerable
(1.59-1)
cosmic Not vulnerable
(1.60-1)
disco Not vulnerable
(1.60-1)
eoan Not vulnerable
(1.60-1)
focal Not vulnerable
(1.60-1)
groovy Not vulnerable
(1.60-1)
hirsute Not vulnerable
(1.60-1)
impish Not vulnerable
(1.60-1)
jammy Not vulnerable
(1.60-1)
precise Does not exist

trusty Does not exist
(trusty was released [1.49+dfsg-2ubuntu0.1])
upstream
Released (1.56-1)
xenial Ignored
(end of standard support, was needed)