Debian `libcrypto++` 5.6.4-9 introduced a security patch for CVE-2019-14318.
According to a post in 2019 , https://github.com/weidai11/cryptopp/issues/869, the CVE-2019-14318 patch for 5.6.4 was incomplete. A comment in a later 2020 issue mentions that the 2019 8.3 patch was broken: https://github.com/weidai11/cryptopp/issues/994#issuecomment-752399981 Debian's 5.6.4-9 uses the 2019 patch which likely contains a regression. It does not appear that a fully working fix for CVE-2019-14318 in 5.6.4 was made. ** Bug watch added: github.com/weidai11/cryptopp/issues #869 https://github.com/weidai11/cryptopp/issues/869 ** Bug watch added: github.com/weidai11/cryptopp/issues #994 https://github.com/weidai11/cryptopp/issues/994 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14318 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060564 Title: miscomputation of ECP::ScalarMultiply() using 5.6.4-9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypto++/+bug/2060564/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
