Upstream information

CVE-2015-7940 at MITRE


The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

SUSE information

Overall state of this security issue: Ignore

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
SUSE Bugzilla entry: 951727 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE 13.1
  • bouncycastle >= 1.53-8.3.1
  • bouncycastle-javadoc >= 1.53-8.3.1
openSUSE Leap 42.1
  • bouncycastle >= 1.53-16.1
  • bouncycastle-javadoc >= 1.53-16.1
openSUSE Tumbleweed
  • bouncycastle >= 1.54-1.2
  • bouncycastle-javadoc >= 1.54-1.2
openSUSE Tumbleweed GA bouncycastle