Page MenuHomePhabricator

bouncycastle information disclosure [DSA 3829-1] [CVE-2015-6644] (and make Gerrit use Debian package)
Closed, ResolvedPublic

Description

There is an important security update for bouncy castle

EDIT: all of the references seem to just talk about "on Android", but wanted to make sure anyways

We use this with Gerrit.

@Muehlenhoff reported this as Debian Security Advisory DSA-3829

I briefly talked to @demon and we think it may affect Gerrit in production.

NIST and Packet Storm both talk just about "on Android" though?

In jessie this exists but as a source-only package which first confused me about the availability of the package "bouncycastle".

Should it be just, apt-get source bouncycastle and dpkg-buildpackage -us -uc in the source dir? Currently we are not installing the package, instead Bouncy Castle comes bundled with Gerrit. But we would like to use the proper Debian package instead and also patch this.

refs:

the 2 existing tickets that contain the string "bouncy castle": T112025 T55895

Event Timeline

Dzahn updated the task description. (Show Details)
Dzahn renamed this task from bouncycastle information disclosure (gerrit) [DSA 3829-1] [CVE-2015-6644] to bouncycastle information disclosure [DSA 3829-1] [CVE-2015-6644] (and make Gerrit use Debian package).Apr 18 2017, 6:36 AM

This has already been rolled out via the bouncycastle Debian packages last week. Gerrit doesn't bundle bouncycastle in it's Debian package either, but it seems it was installed manually to /var/lib/gerrit2/review_site/lib. The proper fix would be what we already did for mysql-connector-java.jar in that directory, replacing it with a symlink to the version of the bcprov jar shipped by the Debian package libbcprov-java. (Or alternatively by replacing bcprov-jdk15on-1.52.jar with 1.56 or later)

This has already been rolled out via the bouncycastle Debian packages last week. Gerrit doesn't bundle bouncycastle in it's Debian package either, but it seems it was installed manually to /var/lib/gerrit2/review_site/lib.

That's not true--I put the built file in the (super crappy) debian package we use for Gerrit. It doesn't ship with Gerrit by default (although this changes in 2.14.x)

The proper fix would be what we already did for mysql-connector-java.jar in that directory, replacing it with a symlink to the version of the bcprov jar shipped by the Debian package libbcprov-java. (Or alternatively by replacing bcprov-jdk15on-1.52.jar with 1.56 or later)

Agreed. Although once we upgrade past the 2.13.x series, this won't be necessary anymore since it'll truly be bundled in the *.war file.

demon triaged this task as High priority.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".

Gerrit is now running with Bouncycastle as packaged by Debian (it symlinks to the jars shipped by the Debian package).

Im confussed. Why did we downgrade if there is a security problem?

Im confussed. Why did we downgrade if there is a security problem?

The older version is the one in debian, and it received the security fix as a backport.

Killed 2 birds with one stone here. Fixed the security issue, and swapped to using debian-provided libraries so we don't have to do a song and dance to upgrade next time.