From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries Date: Mon, 16 Jul 2018 13:14:30 -0400 Message-ID: <20180716171430.GA20978@jasmine.lan> References: <20180614195049.GB4039@jasmine.lan> <20180716062034.GA3973@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oyUTqETQ0mS9luUI" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57338) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ff75W-00037p-JN for bug-guix@gnu.org; Mon, 16 Jul 2018 13:15:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ff75S-00025t-JT for bug-guix@gnu.org; Mon, 16 Jul 2018 13:15:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:38959) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ff75S-00025l-BU for bug-guix@gnu.org; Mon, 16 Jul 2018 13:15:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ff75S-000382-0z for bug-guix@gnu.org; Mon, 16 Jul 2018 13:15:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: =?UTF-8?Q?G=C3=A1bor?= Boskovits Cc: 31831@debbugs.gnu.org --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 16, 2018 at 08:53:56AM +0200, G=E1bor Boskovits wrote: > Are there any more packages needing attention? libtomcrypt version 1.18.2 includes a fix; we would need to adapt this to the bundled copy in Dropbear. I can take a look at this today. NSS was fixed in Guix commit 7c3bea7e6299e1026c7964c83986a6b6c220879a by Marius. Thanks, Marius! The advisory mentions similar but not indentical issues in these packages: There is a new release of Crypto++ available. I'm not sure if this addresses whatever issue was mentioned in the original advisory. mbedTLS's changelog doesn't mention anything related to key extraction side channels. I don't see any related commits in Go's crypto/tls Git repo. --oyUTqETQ0mS9luUI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAltM0nYACgkQJkb6MLrK fwhrbxAAnzWh9B+8lsvB/qL+N76f2srQRVKAf/XaddC/GG9pFM+6HhmdxZKsxOZ1 u/RqAsUbWRkCracIuujNJnjaYfR7CogDLhq87DJwAa5DkWTOe8xughPhU1Gk84rM UmgKIsq260p1Guk209tiQO9RadVz89h7SoB0aycUO1JphQWkHW8QuXd619aJ8QjM Psb4RFYB/wixV8pi7HMfI37/gVScy+gS5TvyClckQH/YIf5PrNp4yKE6sxhXQhTt ynA98n4P+tzVcEd2dpe2daztgFOPA4m1ZPolKda9gzwcr5rlRB9WTCgMWjkhXHg5 30/UihWWCdAgSm1Fx3TVxBOxCWy1doILBNfke+tDaZZH63B6aVpVrLX50D5GJQ91 5cvnQO+cQRvCEMMaGoH2Zsvsc6Bdb3wt6YwCuTZZAJOmk/xEpi/X0hVTQ4shu78m xN4KZW4KN4ZCpZcCvyqOUM3Kdk+fnGHdFaDNkR3yMPX0H3bPxI4j90+VziYI/Dal NCgYfHAKZcplsnPw2WYLhPBa5qj+jhG0rvoWmtk224dbcTg8rKpGrxlUMAbO5FZq KVKypvGqnWai4+6HCkvM7b49Puk/+5kAkClFmXRklLq16/XFjxlOggg63qfoEYpt GLiHObiOAK+eGM/YCPHnj3kXZGVwl5pD48cNmZuxon/lp+ejsek= =nik0 -----END PGP SIGNATURE----- --oyUTqETQ0mS9luUI--