Home / mailingsPDF  

[USN-8108-1] Bouncy Castle vulnerabilities

Posted on 18 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8108-1
March 18, 2026

bouncycastle vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Bouncy Castle.

Software Description:
- bouncycastle: Java implementation of cryptographic algorithms

Details:

It was discovered that Bouncy Castle did not sanitize user input when
inserting it into an LDAP search filter. An attacker could possibly use
this issue to perform an LDAP injection attack. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-33201)

It was discovered that Bouncy Castle incorrectly handled specially crafted
F2m parameters in the ECCurve algorithm. An attacker could possibly use
this issue to cause Bouncy Castle to use excessive resources, leading to a
denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04
LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-29857)

It was discovered that Bouncy Castle leaked timing information when
handling exceptions during an RSA handshake. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS.
(CVE-2024-30171)

It was discovered that Bouncy Castle incorrectly handled endpoint
identification with an SSL socket enabled without an explicit hostname. An
attacker could possibly use this issue to perform a DNS poisoning attack.
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2024-34447)

Bing Shi discovered that Bouncy Castle incorrectly handled resource memory
allocation. An attacker could possibly use this issue to cause Bouncy
Castle to use excessive resources, leading to a denial of service. This
issue only affected Ubuntu 24.04 LTS. (CVE-2025-8916)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
libbcjmail-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcmail-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbctls-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcutil-java 1.77-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
libbcmail-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro
libbctls-java 1.68-5ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
libbcmail-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.61-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
libbcmail-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpg-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcpkix-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro
libbcprov-java 1.59-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 16.04 LTS
libbcmail-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcpg-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcpkix-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro
libbcprov-java 1.51-4ubuntu1+esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8108-1
CVE-2023-33201, CVE-2024-29857, CVE-2024-30171, CVE-2024-30172,
CVE-2024-34447, CVE-2025-8916

--===============0336063194526657914==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :