[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
From: |
Leo Famulari |
Subject: |
bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries |
Date: |
Mon, 25 Feb 2019 21:01:08 -0500 |
User-agent: |
Mutt/1.11.3 (2019-02-01) |
On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.
Crypto++ was updated to 8.0.0 in January 2019.
https://www.cryptopp.com/release800.html
> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.
mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.
https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog
Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".
Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries,
Leo Famulari <=