From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries Date: Mon, 25 Feb 2019 21:01:08 -0500 Message-ID: <20190226020108.GA25161@jasmine.lan> References: <20180614195049.GB4039@jasmine.lan> <20180716062034.GA3973@jasmine.lan> <20180716171430.GA20978@jasmine.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:53691) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gyS4M-00040l-C3 for bug-guix@gnu.org; Mon, 25 Feb 2019 21:02:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gyS4K-00030e-9o for bug-guix@gnu.org; Mon, 25 Feb 2019 21:02:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38483) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gyS4I-00030B-Nk for bug-guix@gnu.org; Mon, 25 Feb 2019 21:02:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gyS4I-0001BG-GP for bug-guix@gnu.org; Mon, 25 Feb 2019 21:02:02 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20180716171430.GA20978@jasmine.lan> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" Cc: 31831-done@debbugs.gnu.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote: > There is a new release of Crypto++ available. I'm not sure if this > addresses whatever issue was mentioned in the original advisory. Crypto++ was updated to 8.0.0 in January 2019. https://www.cryptopp.com/release800.html > mbedTLS's changelog doesn't mention anything related to key extraction > side channels. mbedTLS has been updated several times since this bug was opened, and is currently at 2.16.0. https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog Neither of those upstreams have mentioned CVE-2018-0495, as far as I can tell. The original advisory said they do not use the vulnerable pattern, but do use "non-constant math, but different pattern". Overall, I don't think there is anything left for us to do as a distro in response to CVE-2018-0495, so I am closing this bug. --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0neQACgkQJkb6MLrK fwjbVRAAxPBNbVo2JbxhwnagmAqBJstto7u/BbEB2FU0LPetyP96P5CCqXnXofqT eK8xl9uzs+taIyt0p1C7g/mWw7bUEpUrug800EsHhEjLUOmFeSXiHPIvQWns5BvU xRLP1kaL+9InnGaHkzIUubYt7ewmGQosXLjVX7pdVO0NaZJqXV0XdtcEPN9/Hz6w KofSzM6P3VCjP7uXuiwv8VTLFCIhjgIYmmrFMJP9G3PLB3wTQlpmcYtHQy4Da42g /6OuYjjGzLuF5QRt+Jmz77SQabZWbvCOmZsqRIZsz7LfkhfoJQMPdA10oOkjRvhk e87Buz53Jknu5QPodoYpvCLn7HPVi30oa5T7QPyXHMqV7iNBPmyieoE6Agjz4RzE gXua3WKWdebLPMSxjIAcYoUTs5RyxlVVckevvR8CukfIIIx6sBRrfJOR6hZR0/tY n/r2oG//oVAbqkTgo7lER24VMTWqkBRs9zBHXZBTQ/1HOG8nf9sabFpVZj3niLTE x9EcAJfY5oKG3yPxsogEf+QAAktfgJFdDFcxUkpgSXNpE0K6svJTKFTU2WKfnF94 vEoc1AsuYx7kUBtRWx0AijoqYHWtc7yMb/ouzwyM0B8Vxmd8TzetDb0wUUQjrlIK /Z386DfT8X+fw/en9U8qbTxN/5hkl88w8vloB4cUyQLIndOT91U= =bAaH -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--