[resending the original e-mail because the attachment size apparently exceeded the limit] Hello security team, I have prepared two uploads for bouncycastle to fix #802671 [1] based on the work of Raphael Hertzog and one of the upstream developers of bouncycastle, Peter Dettman. The changes for wheezy are identical to the already uploaded squeeze-LTS update. I had to rebase and change patch 1 and 2 for Jessie because of the different upstream version. The fix passes the test suite. I am attaching the proposed debdiffs for this vulnerability. Please let me know if I can upload the packages to security-master. Proposed announcement text: The Bouncy Castle Java library before 1.51 does not validate that a point is within the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack. Regards, Markus [1] https://bugs.debian.org/802671
Attachment:
bouncycastle_CVE_2015_7940.tar.gz
Description: application/gzip
Attachment:
signature.asc
Description: OpenPGP digital signature