Hi all, I upgraded the Bouncy Castle package for the latest version 1.48 released last month. This version fixes a security issue. Starting with the version 1.47 there is no longer a bctsp jar shipped upstream but a bcpkix jar with a broader scope. So the libbctsp-java package has been replaced with a new libbcpkix-java package. This change will affect libitext-java and libitext5-java. Is there anything special to do to get the old libbctsp-java 1.46 package removed from the archive when the new libbcpkix-java package is uploaded? I noticed that Bouncy Castle provides a bcprov-ext jar that isn't packaged yet. This jar has been introduced in the 1.39 release, it's a superset of bcprov.jar that includes two extra encryption algorithms (IDEA and NTRU). I'd like to package it but I'm unsure how to handle it. I see 4 solutions: 1. Create a package libbcprov-ext-java that conflicts with libbcprov-java (they would both install the same reference in /etc/java/security/security.d) 2. Substitute bcprov.jar bundled in libbcprov-java with bcprov-ext.jar (and add the necessary symlinks to map the two jars) 3. Create a package libbcprov-ext-java that contains only the new encryption algorithms (this avoids the conflict but creates a jar that diverges significantly from upstream) 4. Do nothing because I'll break cryptography export rules and get arrested quickly :) What do you think? Considering the amount of changes this upload targets the experimental distribution. Here is the changelog: * New upstream release - Fixes the Lucky 13 attack on CBC-mode encryption in TLS CVE-2013-0169, CVE-2013-1624 (Closes: #699885) * Added the bcpkix packages * Removed the bctsp packages (the TSP API is now included in bcpkix) * Updated Standards-Version to 3.9.4: no changes needed. * Removed the DMUA flag * Refreshed the patches * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package http://mentors.debian.net/package/bouncycastle http://mentors.debian.net/debian/pool/main/b/bouncycastle/bouncycastle_1.48+dfsg-1.dsc Thank you for your reviews, Emmanuel Bourg
Attachment:
smime.p7s
Description: Signature cryptographique S/MIME