bouncycastle (1.49+dfsg-3+deb8u3) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2016-1000338:
    DSA does not fully validate ASN.1 encoding of signature on verification.
    It is possible to inject extra elements in the sequence making up the
    signature and still have it validate, which in some cases may allow the
    introduction of 'invisible' data into a signed structure.
  * Fix CVE-2016-1000339:
    Previously the primary engine class used for AES was AESFastEngine. Due to
    the highly table driven approach used in the algorithm it turns out that if
    the data channel on the CPU can be monitored the lookup table accesses are
    sufficient to leak information on the AES key being used. There was also a
    leak in AESEngine although it was substantially less. AESEngine has been
    modified to remove any signs of leakage and is now the primary AES class
    for the BC JCE provider. Use of AESFastEngine is now only recommended
    where otherwise deemed appropriate.
  * Fix CVE-2016-1000341:
    DSA signature generation is vulnerable to timing attack. Where timings can
    be closely observed for the generation of signatures, the lack of blinding
    may allow an attacker to gain information about the signature's k value and
    ultimately the private value as well.
  * Fix CVE-2016-1000342:
    ECDSA does not fully validate ASN.1 encoding of signature on verification.
    It is possible to inject extra elements in the sequence making up the
    signature and still have it validate, which in some cases may allow the
    introduction of 'invisible' data into a signed structure.
  * Fix CVE-2016-1000343:
    The DSA key pair generator generates a weak private key if used with
    default values. If the JCA key pair generator is not explicitly initialised
    with DSA parameters, 1.55 and earlier generates a private value assuming a
    1024 bit key size. In earlier releases this can be dealt with by explicitly
    passing parameters to the key pair generator.
  * Fix CVE-2016-1000345:
    The DHIES/ECIES CBC mode is vulnerable to padding oracle attack. In an
    environment where timings can be easily observed, it is possible with
    enough observations to identify when the decryption is failing due to
    padding.
  * Fix CVE-2016-1000346:
    In the Bouncy Castle JCE Provider the other party DH public key is not
    fully validated. This can cause issues as invalid keys can be used to
    reveal details about the other party's private key where static
    Diffie-Hellman is in use. As of this release the key parameters are checked
    on agreement calculation.

 -- Markus Koschany <apo@debian.org>  Sat, 07 Jul 2018 12:33:00 +0200

bouncycastle (1.49+dfsg-3+deb8u2) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2015-6644:
    An information disclosure vulnerability was discovered in Bouncy Castle, a
    Java library which consists of various cryptographic algorithms. The
    Galois/Counter mode (GCM) implementation was missing a boundary check that
    could enable a local application to gain access to user's private
    information.

 -- Markus Koschany <apo@debian.org>  Mon, 10 Apr 2017 20:44:53 +0200

bouncycastle (1.49+dfsg-3+deb8u1) jessie-security; urgency=high

  * Team upload.
  * CVE-2015-7940: fix invalid curve attack as described in
    http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
    (Closes: #802671)

 -- Markus Koschany <apo@debian.org>  Sun, 13 Dec 2015 22:16:20 +0100

bouncycastle (1.49+dfsg-3) unstable; urgency=medium

  * Replaced the dependency on libgnumail-java with libmail-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Moved the package to Git

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 22 Oct 2014 13:41:01 +0200

bouncycastle (1.49+dfsg-2) unstable; urgency=low

  * Upload to unstable
  * debian/control: Specified the packages broken by this version.
    This completes the transition to Bouncy Castle >= 1.47 (Closes: #687694)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 09 Sep 2013 10:41:55 +0200

bouncycastle (1.49+dfsg-1) experimental; urgency=low

  * New upstream release
  * Updated the Maven poms
  * Use canonical URLs in the Vcs-* fields
  * Added the missing dependencies between the packages:
    - libbcpkix-java depends on libbcprov-java
    - libbcpg-java depends on libbcprov-java
    - libbcmail-java depends on libbcprov-java and libbcpkix-java
  * Added the Classpath attribute in the manifests
  * Added the upstream changelog
  * Removed the -gcj packages
  * debian/orig-tar.sh: Exclude Eclipse project file
  * debian/orig-tar.sh: Exclude the prebuilt CLDC classes
  * debian/rules:
    - Use the CDBS Ant class
    - Updated the download URL for the poms
    - Use uppercase names for the constants
    - Removed the duplicate constants
  * debian/copyright: Updated to follow the Copyright Format 1.0
  * The documentation is now registered with doc-base
  * Moved the documentation in the libbcprov-java-doc package
  * Improved the description of the documentation packages
  * Removed the debian/*.dirs files

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 15 Jul 2013 19:26:52 +0200

bouncycastle (1.48+dfsg-2) unstable; urgency=low

  * Removed the dependency on the Activation Framework (libgnujaf-java)
  * Enabled the hardening for the -gcj packages
  * Upload to unstable

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 17 May 2013 00:10:32 +0200

bouncycastle (1.48+dfsg-1) experimental; urgency=low

  * Team upload.
  * New upstream release (Closes: #701698)
    - Fixes the Lucky 13 attack on CBC-mode encryption in TLS
      CVE-2013-0169, CVE-2013-1624 (Closes: #699885)
  * Added the bcpkix packages (Closes: #675819)
  * Removed the bctsp packages (the TSP API is now included in bcpkix)
  * Updated Standards-Version to 3.9.4: no changes needed.
  * Removed the DMUA flag
  * Refreshed the patches
  * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 29 Mar 2013 12:52:23 +0100

bouncycastle (1.46+dfsg-7) unstable; urgency=low

  * Team upload.
  * Updated Standards-Version to 3.9.3: no changes needed.
  * As per Java Policy, remove "Depends: default-jre | java2-runtime"
    and "Suggests: java-virtual-machine" from library packages:
    only programs need explicit depends on runtime.
  * Force a Build-Depends on default-jdk (>= 1:1.6) to indicate that this
    package needs some classes (like java.security.spec.ECFieldF2m) which
    are not available in GCJ classpath (Closes: #678904).
  * Remove Build-Depends on quilt and debian/README.source file
    since we already use quilt (3.0) source format.

 -- Damien Raude-Morvan <drazzib@debian.org>  Sat, 18 Aug 2012 12:04:18 +0200

bouncycastle (1.46+dfsg-6) unstable; urgency=low

  * Now building for Java 1.5 rather than 1.6 (Closes: #678904)

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Wed, 01 Aug 2012 16:32:19 +0000

bouncycastle (1.46+dfsg-5) unstable; urgency=low

  * Compile using jdk16.xml rather than jdk14.xml as the latter exludes classes
  * Pass unicode flag to javac targets as comments in the files prevent them from
    being compiled as ASCII

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Tue, 22 May 2012 15:23:21 +0000

bouncycastle (1.46+dfsg-4) unstable; urgency=low

  * Disabled optimizations on sparc (Closes: #652117)

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Tue, 03 Apr 2012 22:00:48 +0000

bouncycastle (1.46+dfsg-3) unstable; urgency=low

  * Disabled tests as they will fail as a known issue of the security certs
    having expired.  Upstream has been informed and should fix for the next
    upstream release. This should fix the building of bouncycastle on certain
    platforms that were previously failing.

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Mon, 12 Mar 2012 16:14:47 -0400

bouncycastle (1.46+dfsg-2) unstable; urgency=low

  [ by sponsor Steffen Moeller ]
  * Transition from experimental to unstable.
  * Removal of Michael from uploaders (Closes: #653997).
  * Added DMUA for Brian

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Sat, 04 Feb 2012 19:19:27 +0100

bouncycastle (1.46+dfsg-1) experimental; urgency=low

  [ by sponsor Steffen Moeller ]
  * Merging Ubuntu changes with what is in pkg-java
  * Removing Michael Koch from uploaders, adding Brian

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Tue, 10 Jan 2012 13:15:54 +0100

bouncycastle (1.46+dfsg-0ubuntu1) precise; urgency=low

  * New upstream release
  * Updated Standards-Version to 3.9.2
  * Changed source format to 3.0 (quilt)
  * Changed Section to Java

 -- Brian Thomason <brian.thomason@eucalyptus.com>  Tue, 06 Dec 2011 20:53:23 +0000

bouncycastle (1.44+dfsg-2ubuntu2) oneiric; urgency=low

  * Deployment of Maven artifacts:
    - debian/rules: retrieve source POM's and install
    - debian/control: Build-depend on maven-repo-helper
    - debian/poms/*: versioned POM's from repo1.maven.org
    - debian/lib[bcprov|bcmail|bcpg|bctsp].poms; POM lists
      for deployment to maven-repo
    - debian/maven.rules: Transform rules for POM deployment

 -- James Page <james.page@ubuntu.com>  Wed, 29 Jun 2011 16:36:43 +0100

bouncycastle (1.44+dfsg-3) unstable; urgency=low

  * Team upload.

  [Niels Thykier]
  * Changed the section of the gcj packages to java.
  * Replaced B-D on default-jdk-builddep with gcj-native-helper
    and default-jdk.

  [tony mancill]
  * Apply patch to deploy maven artifacts. (Closes: #632183)
    Thanks to James Page.
  * All Recommends on *-gcj packages downgraded to Suggests. 
    (Closes: #585062)
  * Bumped Standards-Versions 3.9.2 - no changes required.

 -- tony mancill <tmancill@debian.org>  Sun, 10 Jul 2011 16:27:31 -0700

bouncycastle (1.44+dfsg-2ubuntu1) maverick; urgency=low

  * Merge from debian. Remaining changes:
    - debian/rules: Enable test suite
    - debian/control: Build-depend on ant-optional (needed for test suite)
    - debian/control: Only suggest libbcprov-java-gcj on selected
      architectures, build libbcprov-java architecture "any" to have it work

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Thu, 03 Jun 2010 15:51:05 +0200

bouncycastle (1.44+dfsg-2) unstable; urgency=low

  [ Thierry Carrez ]
  * debian/control: depend on java2-runtime-headless instead of java2-runtime

  [ Torsten Werner ]
  * Remove Charles from Uploaders list. (Closes: #569476)

 -- Torsten Werner <twerner@debian.org>  Thu, 11 Feb 2010 22:13:38 +0100

bouncycastle (1.44+dfsg-1) unstable; urgency=low

  * Upload as new upstream release.
  * Add debian/orig-tar.sh script and use it in watch file.
    This now removes the RFCs comming with the upstream tarball.
    (Closes: #554456)

 -- Michael Koch <konqueror@gmx.de>  Thu, 05 Nov 2009 08:16:03 +0100

bouncycastle (1.44-1) unstable; urgency=low

  * New upstream release.

 -- Michael Koch <konqueror@gmx.de>  Sun, 25 Oct 2009 21:04:40 +0100

bouncycastle (1.43-1) unstable; urgency=low

  [ Dominik Smatana ]
  * Fixed broken debian/watch

  [ Michael Koch ]
  * New upstream version.
  * Build-Depends on debhelper >= 7.
  * Let all packages Depends on ${misc:Depends}.
  * Move all -java packages to section 'java'.
  * Replaces java-gcj-compat with default-jre-headless.
  * Added debian/README.source.
  * Updated Standards-Version to 3.8.3.

 -- Michael Koch <konqueror@gmx.de>  Tue, 22 Sep 2009 08:23:30 +0200

bouncycastle (1.39-2) unstable; urgency=low

  * Build-Depends on default-jdk-builddep. Closes: #477847

 -- Michael Koch <konqueror@gmx.de>  Wed, 30 Apr 2008 04:35:02 -0100

bouncycastle (1.39-1) unstable; urgency=low

  * New upstream release.
  * Fixed watch file to match upstream version correctly.
  * Removed '-1' part in Build-Depends.

 -- Michael Koch <konqueror@gmx.de>  Sat, 12 Apr 2008 13:49:12 +0200

bouncycastle (1.38-1) unstable; urgency=low

  * New upstream release.
  * Updated Standards-Version to 3.7.3.
  * Added Homepage, Vcs-Svn and Vcs-Browser fields.

 -- Michael Koch <konqueror@gmx.de>  Sat, 29 Dec 2007 17:03:04 +0100

bouncycastle (1.37-2) unstable; urgency=low

  * Fix dependency of targets to make it possible to build arch:dep packages
    only. Closes: #440669.

 -- Michael Koch <konqueror@gmx.de>  Mon, 15 Oct 2007 20:26:02 +0200

bouncycastle (1.37-1) unstable; urgency=low

  * New upstream release. Closes: #430560, #430562.
  * Replaced ${Source-Version} bei ${source:Version}
  * Added myself to Uploaders.

 -- Michael Koch <konqueror@gmx.de>  Sun, 15 Jul 2007 19:22:07 +0200

bouncycastle (1.33-4) unstable; urgency=low

  * Rebuild the database of security providers in the postrm,
    not in the prerm.

 -- Matthias Klose <doko@debian.org>  Sat, 10 Feb 2007 12:02:19 +0100

bouncycastle (1.33-3) unstable; urgency=low

  * Merge from Ubuntu:
    - Build -gcj packages.
    - Install the docs in an api subdir (not apidoc).

 -- Matthias Klose <doko@debian.org>  Wed,  3 Jan 2007 14:29:42 +0100

bouncycastle (1.33-2.1) unstable; urgency=medium

  * NMU
  * Register org.bouncycastle.jce.provider.BouncyCastleProvider
    as security provider for classpath based runtimes.
  * Install bcprov.jar in /usr/share/java/gcj-endorsed as well.
  * Closes: #394680.

 -- Matthias Klose <doko@debian.org>  Sun, 22 Oct 2006 14:57:44 +0000

bouncycastle (1.33-2) unstable; urgency=low

  * Move clean target dependencies to Build-Depends
  * Make pkg-java-maintainers the primary maintainer
  * Update to standards version 3.7.2

 -- Charles Fry <cfry@debian.org>  Wed,  5 Jul 2006 12:32:16 -0400

bouncycastle (1.33-1) unstable; urgency=low

  * New upstream release
  * Generate bcmail, bctsp, and bcpg in addition to bcprov

 -- Charles Fry <debian@frogcircus.org>  Mon,  8 May 2006 11:46:32 -0400

bouncycastle (1.32-1) unstable; urgency=low

  * New upstream release
  * Add build dependencies on ant, use java-gcj-compat-dev (thanks to Matthias
    Klose <doko@ubuntu.com>)

 -- Charles Fry <debian@frogcircus.org>  Thu, 20 Apr 2006 22:15:18 -0400

bouncycastle (1.30-1) unstable; urgency=low

  * Initial release (Closes: #234048)

 -- Charles Fry <debian@frogcircus.org>  Mon, 19 Sep 2005 08:02:36 -0400

