[ASA-201912-3] crypto++: private key recovery
rgacogne at archlinux.org
Wed Dec 11 08:49:03 UTC 2019
Arch Linux Security Advisory ASA-201912-3
Date : 2019-12-06
CVE-ID : CVE-2019-14318
Package : crypto++
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-1046
The package crypto++ before version 8.2.0-2 is vulnerable to private
Upgrade to 8.2.0-2.
# pacman -Syu "crypto++>=8.2.0-2"
The problem has been fixed upstream but no release is available yet.
A vulnerability has been found in the ECDSA/EdDSA implementation of
crypto++ up to 8.2.0, allowing for practical recovery of the long-term
An attacker might be able to recover long-term private key by measuring
the duration of hundreds to thousands of signing operations of known
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security