GNU bug report logs -
#31831
CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 14 Jun 2018 19:24:02 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
Message #42 received at 31831-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.
Crypto++ was updated to 8.0.0 in January 2019.
https://www.cryptopp.com/release800.html
> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.
mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.
https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog
Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".
Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 84 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.