SECURITY-CHANGELOG.txt

version 2.13.0 (2013-03-28)
	* Implements basic MMA attack protection for RSA1_5 JWE algorithm (issue
	  #23).

version 2.26.1 (2014-07-14)
    * Removes checked exception from RSA1_5.decryptCEK(...) to minimise
      exposure to timing attacks for JWE with RSA1_5 (issue #91).

version 3.1.2 (2014-09-01)
    * Closes timing attack vulnerability in MACVerifier for JWS with HS256,
      HS384 and HS512 (issue #107).

version 4.34.2 (2017-02-28)
    * Adds an explicit check during ECDH decryption to ensure the submitted
      ephemeral public EC key is on the same curve as the private EC key.
      Intended to prevent an "Invalid Curve Attack" with JCA providers that
      don't perform this check internally. See http://c2id.co/3n for details.
      Affected is the default Java SUN JCA provider that comes with Java prior
      to version 1.8.0_51. Later Java versions and the BouncyCastle JCA
      provider are not affected (issue #210). Allocated CVE-2017-12974.

version 4.39 (2017-06-02)
    * Fixes authenticated AES/CBC decryption to prevent Padding Oracle attacks
      in JWE with A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512 encryption
      method (issue #223). Allocated CVE-2017-12973.
    * Fixes authenticated AES/CBC decryption to prevent integer overflow
      attacks that can cause the HMAC check to be bypassed. Affected is JWE
      decryption with A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512 encryption
      method (issue #224). Allocated CVE-2017-12972.