bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto

From:	Leo Famulari
Subject:	bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Date:	Mon, 25 Feb 2019 21:01:08 -0500
User-agent:	Mutt/1.11.3 (2019-02-01)

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.

Crypto++ was updated to 8.0.0 in January 2019.

https://www.cryptopp.com/release800.html

> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.

mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.

https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog

Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".

Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries, Leo Famulari <=

Prev by Date: bug#34658: Emacs crashes
Next by Date: bug#27993: Oniguruma (PHP and Ruby) security issues
Previous by thread: bug#32915: Incorrect "will be downloaded" report
Next by thread: bug#27993: Oniguruma (PHP and Ruby) security issues
Index(es):
- Date
- Thread