From debbugs-submit-bounces@debbugs.gnu.org Mon Feb 25 21:01:17 2019 Received: (at 31831-done) by debbugs.gnu.org; 26 Feb 2019 02:01:17 +0000 Received: from localhost ([127.0.0.1]:52027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyS3Y-0001A7-Qr for submit@debbugs.gnu.org; Mon, 25 Feb 2019 21:01:17 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:38039) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gyS3X-00019v-Ne for 31831-done@debbugs.gnu.org; Mon, 25 Feb 2019 21:01:16 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 7E8FF22167; Mon, 25 Feb 2019 21:01:10 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 25 Feb 2019 21:01:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=2oZr+RPGx0HainMEjU3ctZRA oIeVgjOGKfWTuAjvtXc=; b=bZpN0jN3fYAwOwRzzBt1psMKbcDft10WWQ5rRdY0 oQok5vAJVgdH5vQnrczT9vZSq3jVeJC4W6wNi7sLxbuyE5b1HEaVkTIOI/RdcvaW +AEsoksHvYTXM56qyRODRoo/GLhiqsLINNkeb0RYPE3oMmDvrLB/5IWBWO/kDXSl 6k8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=2oZr+R PGx0HainMEjU3ctZRAoIeVgjOGKfWTuAjvtXc=; b=OdmSvqZJjW68HGJqmXBcsg 5Si+oxGW3XiXdt1U9108XEdNmTY1r6qs7qzO+wlijbA9yPlacshHibsN5083N2ek gzj+NY9CmVLOTTrYBIUF2WOoH8QK1HpREuu5MuBMHFJtUXXQW1KKCeDueqVdUtgn BCuHEzHXuDULdhdeCxN1k7jfcS9yNoLZlnJ5Y87ywHQxLFgizpK22+3ZK3rRbUkp DcXQBF4HTDbIotbGAusdiHZQfGVJtG1gyjbfmrlrwbJhI7ZlRyk2xJ+vJ1atNA3g UF7u7CxzvLdhpwX/wCo8R0etrqN5AgpgX22zp4RlttQ+TOZlQcMDc9neJjsUjBiw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdegudculddtuddrgedtledrtddtmd cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen uceurghilhhouhhtmecufedttdenuchmihhsshhinhhgucfvqfcufhhivghlugculdeftd dmnecujfgurhepfffhuffkfhggtggujggfsehgtderredtredvnecuhfhrohhmpefnvgho ucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucffohhmrg hinhepghhithhhuhgsrdgtohhmpdgtrhihphhtohhpphdrtghomhenucfkphepjeeirddu vdegrddvtddvrddufeejnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuh hlrghrihdrnhgrmhgvnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net [76.124.202.137]) by mail.messagingengine.com (Postfix) with ESMTPA id CE46810338 for <31831-done@debbugs.gnu.org>; Mon, 25 Feb 2019 21:01:09 -0500 (EST) Date: Mon, 25 Feb 2019 21:01:08 -0500 From: Leo Famulari Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries Message-ID: <20190226020108.GA25161@jasmine.lan> References: <20180614195049.GB4039@jasmine.lan> <20180716062034.GA3973@jasmine.lan> <20180716171430.GA20978@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <20180716171430.GA20978@jasmine.lan> User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 31831-done Cc: 31831-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote: > There is a new release of Crypto++ available. I'm not sure if this > addresses whatever issue was mentioned in the original advisory. Crypto++ was updated to 8.0.0 in January 2019. https://www.cryptopp.com/release800.html > mbedTLS's changelog doesn't mention anything related to key extraction > side channels. mbedTLS has been updated several times since this bug was opened, and is currently at 2.16.0. https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog Neither of those upstreams have mentioned CVE-2018-0495, as far as I can tell. The original advisory said they do not use the vulnerable pattern, but do use "non-constant math, but different pattern". Overall, I don't think there is anything left for us to do as a distro in response to CVE-2018-0495, so I am closing this bug. --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0neQACgkQJkb6MLrK fwjbVRAAxPBNbVo2JbxhwnagmAqBJstto7u/BbEB2FU0LPetyP96P5CCqXnXofqT eK8xl9uzs+taIyt0p1C7g/mWw7bUEpUrug800EsHhEjLUOmFeSXiHPIvQWns5BvU xRLP1kaL+9InnGaHkzIUubYt7ewmGQosXLjVX7pdVO0NaZJqXV0XdtcEPN9/Hz6w KofSzM6P3VCjP7uXuiwv8VTLFCIhjgIYmmrFMJP9G3PLB3wTQlpmcYtHQy4Da42g /6OuYjjGzLuF5QRt+Jmz77SQabZWbvCOmZsqRIZsz7LfkhfoJQMPdA10oOkjRvhk e87Buz53Jknu5QPodoYpvCLn7HPVi30oa5T7QPyXHMqV7iNBPmyieoE6Agjz4RzE gXua3WKWdebLPMSxjIAcYoUTs5RyxlVVckevvR8CukfIIIx6sBRrfJOR6hZR0/tY n/r2oG//oVAbqkTgo7lER24VMTWqkBRs9zBHXZBTQ/1HOG8nf9sabFpVZj3niLTE x9EcAJfY5oKG3yPxsogEf+QAAktfgJFdDFcxUkpgSXNpE0K6svJTKFTU2WKfnF94 vEoc1AsuYx7kUBtRWx0AijoqYHWtc7yMb/ouzwyM0B8Vxmd8TzetDb0wUUQjrlIK /Z386DfT8X+fw/en9U8qbTxN/5hkl88w8vloB4cUyQLIndOT91U= =bAaH -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--