1
Candidate: CVE-2016-1000338
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338
6
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not
7
fully validate ASN.1 encoding of signature on verification. It is possible
8
to inject extra elements in the sequence making up the signature and still
9
have it validate, which in some cases may allow the introduction of
10
'invisible' data into a signed structure.
20
patch: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0
21
upstream_bouncycastle: needs-triage
22
precise/esm_bouncycastle: DNE
23
trusty_bouncycastle: needs-triage
24
xenial_bouncycastle: needs-triage
25
artful_bouncycastle: needs-triage
26
bionic_bouncycastle: needs-triage
27
devel_bouncycastle: needs-triage