openSUSE has issued an advisory on August 20:
Mageia 7 is also affected.
The package has no registered maintainer, so assigning the bug globally.
Fixed in libcryptopp-8.2.0-1.mga8 (with a patch) by David in Cauldron.
The updated packages fix a security vulnerability:
Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. (CVE-2019-14318)
Updated packages in core/updates_testing:
The following 13 packages are going to be installed:
Ran test as noted by Lewis in prior validations
$ cryptest v > tmp/cryptest_v
$ less tmp/cryptest_v
In this case seems it did fail:
SHA validation suite running...
Exception caught: Can not open file TestVectors/sha.txt for reading
In bug 21029 comment 6, Lewis said:
As normal, the self-tests end with:
CryptoPP::Exception caught: Can not open file TestVectors/dsa.txt for reading
so I think that error is "normal".
MGA7-64 Plasma on Lenovo B50
No installation issues.
I checked the contents of the packages installed and found that the file reported above are located in /usr/share/cryptopp, so I did
$ cd /usr/share/cryptopp/
$ cryptest v > ~/Documenten/cryptest_v
And consulting the output file, all tests completed and passed. OK for me.
Validating. Advisory in Comment 3.
An update for this issue has been pushed to the Mageia Updates repository.