| Name | CVE-2024-34447 |
| Description | An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1070655 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| bouncycastle (PTS) | jessie, jessie (lts) | 1.49+dfsg-3+deb8u3 | vulnerable |
| stretch (security) | 1.56-1+deb9u3 | vulnerable |
| stretch (lts), stretch | 1.56-1+deb9u4 | vulnerable |
| buster (security), buster, buster (lts) | 1.60-1+deb10u1 | vulnerable |
| bullseye | 1.68-2 | vulnerable |
| bookworm | 1.72-2 | vulnerable |
| trixie, sid | 1.77-1 | vulnerable |
The information below is based on the following data on fixed versions.
Notes
[bookworm] - bouncycastle <no-dsa> (Minor issue)
[bullseye] - bouncycastle <no-dsa> (Minor issue)
[buster] - bouncycastle <postponed> (Minor issue)
https://www.bouncycastle.org/latest_releases.html
[jessie] - bouncycastle <postponed> (Minor issue)