DescriptionAn issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs977683

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bouncycastle (PTS)jessie, jessie (lts)1.49+dfsg-3+deb8u3fixed
stretch (security), stretch (lts), stretch1.56-1+deb9u3fixed
sid, bookworm1.71-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bouncycastlesourcejessie(not affected)
bouncycastlesourcestretch(not affected)
bouncycastlesourcebuster(not affected)


[buster] - bouncycastle <not-affected> (Vulnerability introduced later)
[stretch] - bouncycastle <not-affected> (Vulnerability introduced later)
Introduced in: (r1rv65)
Fixed by: (r1rv67)
[jessie] - bouncycastle <not-affected> (Vulnerability introduced later)

Search for package or bug name: Reporting problems