PublicDateAtUSN: 2018-06-04
Candidate: CVE-2016-1000346
PublicDate: 2018-06-04 21:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
 https://ubuntu.com/security/notices/USN-3727-1
Description:
 In the Bouncy Castle JCE Provider version 1.55 and earlier the other party
 DH public key is not fully validated. This can cause issues as invalid keys
 can be used to reveal details about the other party's private key where
 static Diffie-Hellman is in use. As of release 1.56 the key parameters are
 checked on agreement calculation.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N [3.7 LOW]


Patches_bouncycastle:
 upstream: https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495
upstream_bouncycastle: released (1.56-1)
precise/esm_bouncycastle: DNE
trusty_bouncycastle: released (1.49+dfsg-2ubuntu0.1)
trusty/esm_bouncycastle: DNE (trusty was released [1.49+dfsg-2ubuntu0.1])
xenial_bouncycastle: ignored (end of standard support, was needed)
artful_bouncycastle: not-affected (1.57-1)
bionic_bouncycastle: not-affected (1.59-1)
cosmic_bouncycastle: not-affected (1.60-1)
disco_bouncycastle: not-affected (1.60-1)
eoan_bouncycastle: not-affected (1.60-1)
focal_bouncycastle: not-affected (1.60-1)
groovy_bouncycastle: not-affected (1.60-1)
hirsute_bouncycastle: not-affected (1.60-1)
impish_bouncycastle: not-affected (1.60-1)
jammy_bouncycastle: not-affected (1.60-1)
devel_bouncycastle: not-affected (1.60-1)