openSUSE has issued an advisory on August 20: https://lists.opensuse.org/opensuse-updates/2019-08/msg00155.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
The package has no registered maintainer, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Fixed in libcryptopp-8.2.0-1.mga8 (with a patch) by David in Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => geiger.david68210
Suggested advisory: ======================== The updated packages fix a security vulnerability: Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. (CVE-2019-14318) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14318 https://lists.opensuse.org/opensuse-updates/2019-08/msg00155.html ======================== Updated packages in core/updates_testing: ======================== lib(64)cryptopp7-7.0.0-1.1.mga7 lib(64)cryptopp-devel-7.0.0-1.1.mga7 libcryptopp-progs-7.0.0-1.1.mga7 from SRPMS: libcryptopp-7.0.0-1.1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsCVE: (none) => CVE-2019-14318
The following 13 packages are going to be installed: - binutils-2.32-14.mga7.i586 - gcc-8.3.1-0.20191101.1.mga7.i586 - gcc-cpp-8.3.1-0.20191101.1.mga7.i586 - glibc-devel-2.29-19.mga7.i586 - isl-0.18-1.mga7.i586 - kernel-userspace-headers-5.3.13-2.mga7.i586 - libcryptopp-devel-7.0.0-1.1.mga7.i586 - libcryptopp-progs-7.0.0-1.1.mga7.i586 - libcryptopp7-7.0.0-1.1.mga7.i586 - libisl15-0.18-1.mga7.i586 - libmpc3-1.1.0-3.mga7.i586 - libstdc++-devel-8.3.1-0.20191101.1.mga7.i586 - libxcrypt-devel-4.4.6-1.mga7.i586 ---- Ran test as noted by Lewis in prior validations $ cryptest v > tmp/cryptest_v $ less tmp/cryptest_v In this case seems it did fail: ... SHA validation suite running... Exception caught: Can not open file TestVectors/sha.txt for reading
Whiteboard: (none) => feedbackCC: (none) => brtians1
In bug 21029 comment 6, Lewis said: """ As normal, the self-tests end with: CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading """ so I think that error is "normal".
Whiteboard: feedback => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. I checked the contents of the packages installed and found that the file reported above are located in /usr/share/cryptopp, so I did $ cd /usr/share/cryptopp/ $ cryptest v > ~/Documenten/cryptest_v And consulting the output file, all tests completed and passed. OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0362.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
*** Bug 28145 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu