mirrored from https://www.bouncycastle.org/repositories/bc-java
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CVE‐2024‐30171
David Hook edited this page May 11, 2024
·
4 revisions
Issue affecting: BC TLS Java 1.0.18 and earlier. BC C# .NET 2.3.0 and earlier.
Fixed versions: BC TLS Java 1.0.19. BC C# .NET 2.3.1
Platform affected: All JVMs. All CLRs.
Possible timing side-channel for RSA key exchange ("The Marvin Attack"). The timing signal appeared to be related to the interaction of the TLS APIs with exception handling in the underlying low-level APIs used for providing cryptographic services.
Use of RSA PKCS#1.5 is now disabled by default in the BC TLS APIs.
Fix Commits:
Java:
- https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0
- https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d
C# .NET