On Friday, July 26, 2019 at 6:42:39 AM UTC-4, Andrew Marlow wrote: > > > > On Friday, 26 July 2019 05:56:48 UTC+1, Jeffrey Walton wrote: >> >> >> We received a private email concerning an ECDSA timing attack by Ján >> Jančár. >> >> We are tracking the report at >> https://github.com/weidai11/cryptopp/issues/869 . >> > > this references the article Remote Timing Attacks are Still Practical > which mentions that the vunerability was found in OpenSSL. So this makes me > wonder, is there a CVE number for this yet? >
At the moment there are no CVEs. We have not identified the scope of the issue (yet). We know Add() and Multiply() are leaking some information. We are less sure about how much info is being leaked. We gave the distros a heads up, and told them we probably had something CVE-worthy coming down the pike. Jeff -- You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/7c75d6e1-bbac-4d97-9c8c-37d3475dd1be%40googlegroups.com.
