PublicDateAtUSN: 2018-06-01
Candidate: CVE-2016-1000338
PublicDate: 2018-06-01 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338
 https://ubuntu.com/security/notices/USN-3727-1
Description:
 In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not
 fully validate ASN.1 encoding of signature on verification. It is possible
 to inject extra elements in the sequence making up the signature and still
 have it validate, which in some cases may allow the introduction of
 'invisible' data into a signed structure.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_bouncycastle:
 upstream: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f
upstream_bouncycastle: released (1.56-1)
precise/esm_bouncycastle: DNE
trusty_bouncycastle: released (1.49+dfsg-2ubuntu0.1)
trusty/esm_bouncycastle: DNE (trusty was released [1.49+dfsg-2ubuntu0.1])
xenial_bouncycastle: ignored (end of standard support, was needed)
artful_bouncycastle: not-affected (1.57-1)
bionic_bouncycastle: not-affected (1.59-1)
cosmic_bouncycastle: not-affected (1.60-1)
disco_bouncycastle: not-affected (1.60-1)
eoan_bouncycastle: not-affected (1.60-1)
focal_bouncycastle: not-affected (1.60-1)
groovy_bouncycastle: not-affected (1.60-1)
hirsute_bouncycastle: not-affected (1.60-1)
impish_bouncycastle: not-affected (1.60-1)
jammy_bouncycastle: not-affected (1.60-1)
devel_bouncycastle: not-affected (1.60-1)