ArchLinux: 201912-3: crypto++: private key recovery

    Date 10 Dec 2019
    397
    Posted By LinuxSecurity Advisories
    The package crypto++ before version 8.2.0-2 is vulnerable to private key recovery.
    Arch Linux Security Advisory ASA-201912-3
    =========================================
    
    Severity: High
    Date    : 2019-12-06
    CVE-ID  : CVE-2019-14318
    Package : crypto++
    Type    : private key recovery
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1046
    
    Summary
    =======
    
    The package crypto++ before version 8.2.0-2 is vulnerable to private
    key recovery.
    
    Resolution
    ==========
    
    Upgrade to 8.2.0-2.
    
    # pacman -Syu "crypto++>=8.2.0-2"
    
    The problem has been fixed upstream but no release is available yet.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    A vulnerability has been found in the ECDSA/EdDSA implementation of
    crypto++ up to 8.2.0, allowing for practical recovery of the long-term
    private key.
    
    Impact
    ======
    
    An attacker might be able to recover long-term private key by measuring
    the duration of hundreds to thousands of signing operations of known
    messages.
    
    References
    ==========
    
    https://seclists.org/oss-sec/2019/q4/3
    https://minerva.crocs.fi.muni.cz/
    https://github.com/weidai11/cryptopp/issues/869
    https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251043f27eef95a4f31224c4615c3ec
    https://github.com/weidai11/cryptopp/commit/c9ef9420e762
    https://security.archlinux.org/CVE-2019-14318
    
    

    LinuxSecurity Poll

    Have you ever used tcpdump for network troubleshooting or debugging?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/36-have-you-ever-used-tcpdump-for-network-troubleshooting-or-debugging?task=poll.vote&format=json
    36
    radio
    [{"id":"125","title":"Yes","votes":"36","type":"x","order":"1","pct":80,"resources":[]},{"id":"126","title":"No ","votes":"9","type":"x","order":"2","pct":20,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.