Bug#780102: libjbcrypt-java: CVE-2015-0886
Moritz Mühlenhoff
jmm at inutil.org
Wed Mar 18 21:21:26 UTC 2015
On Mon, Mar 09, 2015 at 03:00:27PM +0100, Emmanuel Bourg wrote:
> Thank you for the report Moritz.
>
> According to the Bugzilla report the issue happens when BCrypt.gensalt()
> is called with the value 31. jenkins is the only package using this
> library and it calls this method with no parameter [1], the default
> value being 10 [2].
>
> So I don't think this issue is critical for Jessie.
Ok. It probably fairly unlikely that external Java applications
use the shipped libjbcrypt-java package.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list