Vulnerability-Lookup

SUSE-SU-2026:1639-1

Vulnerability from csaf_suse - Published: 2026-04-28 11:10 - Updated: 2026-04-28 11:10

Summary

Security update for bouncycastle

Severity

Important

Notes

Title of the patch: Security update for bouncycastle

Description of the patch: This update for bouncycastle fixes the following issues: Update to version 1.84. Security issues fixed: - CVE-2025-14813: GOSTCTR implementation unable to process more than 255 blocks correctly (bsc#1262225). - CVE-2026-0636: LDAP injection in LDAPStoreHelper.java leads to information disclosure (bsc#1262226). - CVE-2026-3505: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion (bsc#1262232). - CVE-2026-5588: PKIX draft CompositeVerifier accepts empty signature sequence as valid (bsc#1262228). - CVE-2026-5598: non-constant time comparisons risks private key leakage in FrodoKEM (bsc#1262227). Other updates and bugfixes: - Version 1.84: - In line with JVM changes, KEM support has been backported to Java 17. - BCJSSE: Configurable (client) early key_share groups via BCSSLParameters.earlyKeyShares or 'org.bouncycastle.jsse.client.earlyKeyShares' system property. - BCJSSE: Support for curveSM2MLKEM768 hybrid NamedGroup in TLS 1.3 per draft-yang-tls-hybrid-sm2-mlkem-03. - BCJSSE: Log when default cipher suites are disabled. - BCJSSE: Experimental support for ShangMi crypto in TLS 1.3 per RFC 8998 (not enabled by default). - CMS: Added CMSAuthEnvelopedDataStreamGenerator.open taking an explicit content type. - HKDF: Provider support for HKDFParameterSpec.Expand. - Added initial support for RFC 9380 (Hashing to Elliptic Curves); see org.bouncycastle.crypto.hash2curve . - PKCS12: Added default max iteration count of 5,000,000 (configurable via 'org.bouncycastle.pkcs12.max_it_count' property). - TLS: Use javax.crypto.KEM API (when available) to access ML-KEM implementation (incl. hybrids). - A new KeyStore, PKCS12-PBMAC1, has been added which defaults to using PBMAC1 and supports RFC 9879. - A new property 'org.bouncycastle.asn1.max_cons_depth' has been added to allow setting of the maximum nesting for SETs/SEQUENCESs in ASN.1. Default is 32. - A new property 'org.bouncycastle.asn1.max_limit' has been added to allow setting of the stream size of ASN.1 encodings. The value can be either in bytes, or appended with k (1 kilobyte blocks), m (1 megabyte blocks), or g (1 gigabyte blocks). - Added NTRU+ support to the lightweight PQC API and the BCPQC provider. - Added SM4 key wrap/unwrap mode, SM2 key exchange, and logging to SM2Signer. - OpenPGP: Added encryption-key filtering by purpose, a new OpenPGPKey constructor, KeyPassphraseProvider-based passphrase change, wildcard (anonymous) recipient handling, and Web-of-Trust methods for third-party signature chains and delegations. - CMSSignedDataStreamGenerator can now support the generation of DER/DL encoded SignedData objects (note memory restrictions still apply). - It is now possible to add extra digest alorithm IDs to CMSSignedDataStreamGenerator when required. - Random numbers being generated for DSTU4145 signature calculations were 1 bit shorter than they could be. The code has been corrected to allow the generated numbers to occupy the full numeric range available. - HKDF implementation has been corrected to use multiple IKMs if available. - CompositePublic/PrivateKey builders had an issue identifying brainpool and EdDSA curves from the algorithm names due to an error in the OID mapping table. This has been fixed. - S/MIME: Fix AuthEnveloped support for AES192/GCM and AES256/GCM. - CMS: Use implicit tag for AuthEnvelopedData.authEncryptedContentInfo.encryptedContent. - Fixed Strings.split to handle delimiters at position 0. - Fixed FrodoKEM error sampling to be constant-time. - Fixed PKIXNameConstraintValidator to treat a DNS name as intersecting itself. - Fixed PKCS12 key stores not calling getInstance with the original provider (which was forcing provider registration). - A resource leak due to the SMIMESigned constructor leaving background threads hanging on MessagingException has been fixed. - OpenPGP: Fixed an issue where a custom signature creation time was ignored when generating message signatures. - OpenPGP: Fixed SKESK encoding for direct-S2K-encrypted messages. - Version 1.83: - Attempting to check a password on a stripped PGP would throw an exception. Checking the password on such a key will now always return false. - Fixed an issue in KangarooTwelve where premature absorption caused erroneous 168-byte padding; absorption is now delayed so correct final-byte padding is applied. - BCJSSE: Fix supported_versions creation for renegotiation handshake. - (D)TLS: Reneg info now oly offered with pre-1.3. - A generic 'COMPOSITE' algorithm name has been added as a JCA Signature algorithm. The algorithm will identify the composite signature to use from the composite key passed in. - The composite signatures implementation has been updated to the final draft and now follows the submitted standard. - Support for the generation and use as trust anchors has been added for certificate signatures with id-alg-unsigned as the signature type. - Support for CMP direct POP for encryption keys using challenge/response has been added to the CMP/CRMF APIs. - Support for SupportedCurves attribute to the BC provider - BCJSSE: Added support for SLH-DSA signature schemes in TLS 1.3 per draft-reddy-tls-slhdsa-01. - Support has been added for the Java 25 KDF API (current algorithms, PBKDF2, SCRYPT, and HKDF). - Support for composite signatures is now included in CMS and timestamping. - It is now possible to disable the Lenstra check in RSA where the public key is not available via the system/security property 'org.bouncycastle.rsa.no_lenstra_check'. - Version 1.82: - SNOVA and MAYO are now correctly added to the JCA provider module-info file. - TLS: Avoid nonce reuse error in JCE AEAD workaround for pre-Java7. - BCJSSE: Session binding map is now shared across all stages of the session lifecycle (SunJSSE compatibility). - The CMCEPrivateKeyParameters#reconstructPublicKey method was returning an empty byte array. It now returns an encoding of the public key. - CBZip2InputStream no longer auto-closes at end-of-contents. - The BC CertPath implementation was eliminating certificates on the bases of the Key-ID. This is not in accordance with RFC 4158. - Support for the previous set of libOQS Falcon OIDs has been restored. - The BC CipherInputStream could throw an exception if asked to handle an AEAD stream consisting of the MAC only. - Some KeyAgreement classes were missing in the Java 11 class hierarchy. - Fix typo in a constant name in the HPKE class and deprecate the old constant. - Fuzzing analysis has been done on the OpenPGP API and additional code has been added to prevent escaping exceptions. - SHA3Digest, CSHAKE, TupleHash, KMAC now provide support for Memoable and EncodableService. - BCJSSE: Added support for integrity-only cipher suites in TLS 1.3 per RFC 9150. - BCJSSE: Added support for system properties 'jdk.tls.{client,server}.maxInboundCertificateChainLength' - BCJSSE: Added support for ML-DSA signature schemes in TLS 1.3 per draft-ietf-tls-mldsa-00. - The Composite post-quantum signatures implementation has been updated to the latest draft (07) draft-ietf-lamps-pq-composite-sigs. - '_PREHASH' implementations are now provided for all composite signatures to allow the hash of the date to be used instead of the actual data in signature calculation. - The gradle build can now be used to generate an Bill of Materials (BOM) file. - It is now possible to configure the SignerInfoVerifierBuilder used by the SignedMailValidator class. - The Ascon family of algorithms has been updated with the latest published changes. - Composite signature keys can now be constructed from the individual keys of the algorithms composing the composite. - PGPSecretKey, PGPSignatureGenerator now support version 6. - Further optimisation work has been done on ML-KEM public key validation. - Zeroization of passwords in the JCA PKCS12 key store has been improved. - The 'org.bouncycastle.drbg.effective_256bits_entropy' property has been added for platforms where the entropy source is not producing 1 full bit of entropy per bit and additional bits are required (default value 282). - OpenPGPKeyGenerator now allows for the use of empty UserIDs (version 4 compatibility). - The HQC KEM has been updated with the latest draft updates. - The legacy post-quantum package has now been removed. - Version 1.81: - A potention NullPointerException in the KEM KDF KemUtil class has been removed. - Overlapping input/output buffers in doFinal could result in data corruption. - Fixed Grain-128AEAD decryption incorrectly handle MAC verification. - Add configurable header validation to prevent malicious header injection in PGP cleartext signed messages; Fix signature packet encoding issues in PGPSignature.join() and embedded signatures while phasing out legacy format. - Fixed ParallelHash initialization stall when using block size B=0. - The PRF from the PBKDF2 function was been lost when PBMAC1 was initialized from protectionAlgorithm. This has been fixed. - The lowlevel DigestFactory was cloning MD5 when being asked to clone SHA1. - XWing implementation updated to draft-connolly-cfrg-xwing-kem/07/ - Further support has been added for generation and use of PGP V6 keys - Additional validation has been added for armored headers in Cleartext Signed Messages. - The PQC signature algorithm proposal Mayo has been added to the low-level API and the BCPQC provider. - The PQC signature algorithm proposal Snova has been added to the low-level API and the BCPQC provider. - Support for ChaCha20-Poly1305 has been added to the CMS/SMIME APIs. - The Falcon implementation has been updated to the latest draft. - Support has been added for generating keys which encode as seed-only and expanded-key-only for ML-KEM and ML-DSA private keys. - Private key encoding of ML-DSA and ML-KEM private keys now follows the latest IETF draft. - The Ascon family of algorithms has been updated to the initial draft of SP 800-232. Some additional optimisation work has been done. - Support for ML-DSA's external-mu calculation and signing has been added to the BC provider. - CMS now supports ML-DSA for SignedData generation. - Introduce high-level OpenPGP API for message creation/consumption and certificate evaluation. - Added JDK21 KEM API implementation for HQC algorithm. - BCJSSE: Strip trailing dot from hostname for SNI, endpointID checks. - BCJSSE: Draft support for ML-KEM updated (draft-connolly-tls-mlkem-key-agreement-05). - BCJSSE: Draft support for hybrid ECDHE-MLKEM (draft-ietf-tls-ecdhe-mlkem-00). - BCJSSE: Optionally prefer TLS 1.3 server's supported_groups order (BCSSLParameters.useNamedGroupsOrder). - Version 1.80: - A splitting issue for ML-KEM led to an incorrect size for kemct in KEMRecipientInfos. This has been fixed. - The PKCS12 KeyStore has been adjusted to prevent accidental doubling of the Oracle trusted certificate attribute (results in an IOException when used with the JVM PKCS12 implementation). - The SignerInfoGenerator copy constructor was ignoring the certHolder field. - The getAlgorithm() method return value for a CompositePrivateKey was not consistent with the corresponding getAlgorithm() return value for the CompositePrivateKey. This has been fixed. - The international property files were missing from the bcjmail distribution. - Issues with ElephantEngine failing on processing large/multi-block messages have been addressed. - GCFB mode now fully resets on a reset. - The lightweight algorithm contestants: Elephant, ISAP, PhotonBeetle, Xoodyak now support the use of the AEADParameters class and provide accurate update/doFinal output lengths. - An unnecessary downcast in CertPathValidatorUtilities was resulting in the ignoring of URLs for FTP based CRLs. - A regression in the OpenPGP API could cause NoSuchAlgorithmException to be thrown when attempting to use SHA-256 in some contexts. - EtsiTs1029411TypesAuthorization was missing an extension field. - Interoperability issues with single depth LMS keys have been addressed. - CompositeSignatures now updated to draft-ietf-lamps-pq-composite-sigs-03. - ML-KEM, ML-DSA, SLH-DSA, and Composite private keys now use raw encodings as per the latest drafts from IETF 121: draft-ietf-lamps-kyber-certificates-06, draft-ietf-lamps-dilithium-certificates-05, and draft-ietf-lamps-x509-slhdsa. - Initial support has been added for RFC 9579 PBMAC1 in the PKCS API. - Support has been added for EC-JPAKE to the lightweight API. - Support has been added for the direct construction of S/MIME AuthEnvelopedData objects, via the SMIMEAuthEnvelopedData class. - An override 'org.bouncycastle.asn1.allow_wrong_oid_enc' property has been added to disable new OID encoding checks (use with caution). - Support has been added for the PBEParemeterSpec.getParameterSpec() method where supported by the JVM. - ML-DSA/SLH-DSA now return null for Signature.getParameters() if no context is provided. This allows the algorithms to be used with the existing Java key tool. - HQC has been updated to reflect the reference implementation released on 2024-10-30. - Support has been added to the low-level APIs for the OASIS Shamir Secret Splitting algorithms. - BCJSSE: System property 'org.bouncycastle.jsse.fips.allowGCMCiphersIn12' no longer used. FIPS TLS 1.2 GCM suites can now be enabled according to JcaTlsCrypto#getFipsGCMNonceGeneratorFactory (see JavaDoc for details) if done in alignment with FIPS requirements. - Support has been added for OpenPGP V6 PKESK and message encryption. - PGPSecretKey.copyWithNewPassword() now includes AEAD support. - The ASCON family of algorithms have been updated in accordance with the published FIPS SP 800-232 draft.

Patchnames: SUSE-2026-1639,SUSE-SLE-Module-Development-Tools-15-SP7-2026-1639,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1639,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1639,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1639,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1639,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1639,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1639,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1639,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1639,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1639,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1639

CVE-2025-14813

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L