ALAS-2024-636

Amazon Linux 2023 Security Advisory: ALAS-2024-636
Advisory Release Date: 2024-06-06 20:47 Pacific
Advisory Updated Date: 2024-06-10 17:10 Pacific

Severity: Medium

References: CVE-2024-29857 CVE-2024-34447
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

An issue was discovered in Bouncy Castle Java Cryptography APIs before ...

NOTE: https://github.com/bcgit/bc-java/issues/1635
NOTE: https://www.bouncycastle.org/latest_releases.html
DEBIANBUG: [1070655] (CVE-2024-29857)

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning. (CVE-2024-34447)

Affected Packages:

bouncycastle

Issue Correction:
Run dnf update bouncycastle --releasever 2023.4.20240611 to update your system.

New Packages:

noarch:
    bouncycastle-mail-1.70-4.amzn2023.0.5.noarch
    bouncycastle-tls-1.70-4.amzn2023.0.5.noarch
    bouncycastle-1.70-4.amzn2023.0.5.noarch
    bouncycastle-pkix-1.70-4.amzn2023.0.5.noarch
    bouncycastle-util-1.70-4.amzn2023.0.5.noarch
    bouncycastle-pg-1.70-4.amzn2023.0.5.noarch
    bouncycastle-javadoc-1.70-4.amzn2023.0.5.noarch

src:
    bouncycastle-1.70-4.amzn2023.0.5.src

Additional References

Red Hat: CVE-2024-29857, CVE-2024-34447

Mitre: CVE-2024-29857, CVE-2024-34447

Select your cookie preferences

Customize cookie preferences

Essential

Performance

Functional

Advertising

ALAS-2024-636

Additional References