FYI... This was sent to our package maintainers. ---------- Forwarded message ---------- From: Jeffrey Walton <[email protected]> Date: Thu, Apr 7, 2016 at 7:22 PM Subject: Re: Potential Crypto++ security bug against AES hardening and timing attacks To: ...
Hi Everyone, We checked in the fix for the issue at: * http://github.com/weidai11/cryptopp/commit/9f335d719ebc27f58251559240de0077ec42c583 We also picked up the improvement for constant propagation: * http://github.com/weidai11/cryptopp/commit/50e5c14c18671726d23479b5e0cadc4224100259 We have not received feedback on the imperativeness of a CVE, so we are going to handle this as a normal bug fix. Jeff On Wed, Apr 6, 2016 at 4:35 PM, Jeffrey Walton <[email protected]> wrote: > Hi Everyone, > > We are tracking a potential security bug in Crypto++. The issue was > reported at http://github.com/weidai11/cryptopp/issues/146. > > The bug is due to the optimizer discarding some code that was intended > to harden AES against some side channel attacks. Its hard to gauge > impact, but I'm guessing it could leave to key recovering in some > circumstances. > > We will have a patch shortly. > > If it merits a CVE, then we will likely release Crypto++ 5.6.4 in the > next 15 to 30 days. I'm waiting to hear back from some Red Hat folks > on the need for a CVE. > > László - any thoughts on a CVE from Debian's perspective? -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
