Bug 1058454 - CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]
Summary: CVE-2013-1624 bouncycastle: TLS CBC padding timing attack [jpp-6.2.0]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: JBoss Enterprise Portal Platform 6
Classification: JBoss
Component: unspecified
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ER05
: 6.2.0
Assignee: hfnukal@redhat.com
QA Contact: Filip Kiss
URL:
Whiteboard:
Depends On:
Blocks: CVE-2013-1624 1082914 1082938
TreeView+ depends on / blocked
 
Reported: 2014-01-27 20:10 UTC by Chess Hazlett
Modified: 2015-05-14 15:15 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-05-14 15:15:30 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Chess Hazlett 2014-01-27 20:10:19 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=908428

Comment 3 Arun Babu Neelicattu 2014-04-01 07:04:53 UTC
Recommended fix: Upgrade to bouncycastle >= 1.48

Comment 4 Arun Babu Neelicattu 2014-07-24 06:09:58 UTC
Retargeting this to JPP 6.2.0.

Comment 5 Arun Babu Neelicattu 2014-07-24 06:13:35 UTC
This was retargeted due to an overwhelming lack of progress. This was exptected to be fixed before 6.2.0.

Comment 7 Filip Kiss 2014-09-09 12:06:30 UTC
Hi Chess,
can you please provide me a link with reproducer for this issue ?

Thank you,
Filip Kiss

Comment 8 Chess Hazlett 2014-09-19 17:09:21 UTC
Filip, we don't have a reproducer for this flaw.  For other product fixes for this CVE, we've been verifying that updated bc jars are in use.  The correct bc jars (1.50, need >1.48) are in CR1 as of 2014-09-19.

Comment 10 errata-xmlrpc 2015-05-14 15:15:30 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1009.html


Note You need to log in before you can comment on or make changes to this bug.