CVE-2015-7940

NameCVE-2015-7940
DescriptionThe Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-361-1, DSA-3417-1
Debian Bugs802671

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bouncycastle (PTS)jessie, jessie (lts)1.49+dfsg-3+deb8u3fixed
stretch (security)1.56-1+deb9u3fixed
stretch (lts), stretch1.56-1+deb9u4fixed
buster1.60-1fixed
buster (security)1.60-1+deb10u1fixed
bullseye1.68-2fixed
bookworm1.72-2fixed
sid, trixie1.77-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bouncycastlesourcesqueeze1.44+dfsg-2+deb6u1DLA-361-1
bouncycastlesourcewheezy1.44+dfsg-3.1+deb7u1DSA-3417-1
bouncycastlesourcejessie1.49+dfsg-3+deb8u1DSA-3417-1
bouncycastlesource(unstable)1.51-1802671

Notes

https://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
Commits: https://github.com/bcgit/bc-java/commit/5cb2f05
Possibly needed to include as well: https://github.com/bcgit/bc-java/commit/e25e94a
Peter Dettman <peter.dettman@bouncycastle.org> offered to assist if backporting fails and to review the result.
Search for package or bug name: Reporting problems