Security update for libcryptopp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1968-1 Final 1 1 2019-08-20T10:57:58Z current 2019-08-20T10:57:58Z 2019-08-20T10:57:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libcryptopp This update for libcryptopp fixes the following issues: - CVE-2019-14318: Fixed a timing side channel vulnerability in the ECDSA signature generation (boo#1143532). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1968 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PIBT23NESB2572K3CT3URDK6WH7QTD3Y/#PIBT23NESB2572K3CT3URDK6WH7QTD3Y E-Mail link for openSUSE-SU-2019:1968-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1143532 SUSE Bug 1143532 https://www.suse.com/security/cve/CVE-2019-14318/ SUSE CVE CVE-2019-14318 page SUSE Package Hub 15 SUSE Package Hub 15 SP1 openSUSE Leap 15.0 openSUSE Leap 15.1 libcryptopp-devel-5.6.5-bp151.4.3.1 libcryptopp5_6_5-5.6.5-bp151.4.3.1 libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 libcryptopp-devel-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libcryptopp5_6_5-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 as a component of SUSE Package Hub 15 libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 libcryptopp-devel-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libcryptopp5_6_5-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 as a component of SUSE Package Hub 15 SP1 libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libcryptopp-devel-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.0 libcryptopp5_6_5-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.0 libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 as a component of openSUSE Leap 15.0 libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.0 libcryptopp-devel-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.1 libcryptopp5_6_5-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.1 libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 as a component of openSUSE Leap 15.1 libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 as a component of openSUSE Leap 15.1 Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. CVE-2019-14318 SUSE Package Hub 15 SP1:libcryptopp-devel-5.6.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 SUSE Package Hub 15 SP1:libcryptopp5_6_5-5.6.5-bp151.4.3.1 SUSE Package Hub 15 SP1:libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 SUSE Package Hub 15:libcryptopp-devel-5.6.5-bp151.4.3.1 SUSE Package Hub 15:libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 SUSE Package Hub 15:libcryptopp5_6_5-5.6.5-bp151.4.3.1 SUSE Package Hub 15:libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 openSUSE Leap 15.0:libcryptopp-devel-5.6.5-bp151.4.3.1 openSUSE Leap 15.0:libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 openSUSE Leap 15.0:libcryptopp5_6_5-5.6.5-bp151.4.3.1 openSUSE Leap 15.0:libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 openSUSE Leap 15.1:libcryptopp-devel-5.6.5-bp151.4.3.1 openSUSE Leap 15.1:libcryptopp5_6_5-32bit-5.6.5-lp151.3.3.1 openSUSE Leap 15.1:libcryptopp5_6_5-5.6.5-bp151.4.3.1 openSUSE Leap 15.1:libcryptopp5_6_5-64bit-5.6.5-bp151.4.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PIBT23NESB2572K3CT3URDK6WH7QTD3Y/#PIBT23NESB2572K3CT3URDK6WH7QTD3Y https://www.suse.com/security/cve/CVE-2019-14318.html CVE-2019-14318 https://bugzilla.suse.com/1143532 SUSE Bug 1143532 https://bugzilla.suse.com/1145187 SUSE Bug 1145187