Bug 936435 (CVE-2015-2141) - VUL-0: CVE-2015-2141: libcryptopp: libcrypto++ -- security update
Summary: VUL-0: CVE-2015-2141: libcryptopp: libcrypto++ -- security update
Status: RESOLVED FIXED
Alias: CVE-2015-2141
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Bernhard Wiedemann
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/118085/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-29 14:10 UTC by Marcus Meissner
Modified: 2020-07-13 12:35 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-06-29 14:10:19 UTC 
CVE-2015-2141

Evgeny Sidorov discovered that libcrypto++, a general purpose C++ cryptographic library, did not properly implement blinding to mask private key operations for the Rabin-Williams digital signature algorithm. This could allow remote attackers to mount a timing attack and retrieve the user's private key.

References:
https://github.com/weidai11/cryptopp/commit/9425e16437439e68c7d96abef922167d68fafaff
https://eprint.iacr.org/2015/368
http://www.debian.org/security/2015/dsa-3296
Comment 1 Swamp Workflow Management 2015-06-29 22:00:52 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2015-07-10 13:00:31 UTC 
This is an autogenerated message for OBS integration:
This bug (936435) was mentioned in
https://build.opensuse.org/request/show/315854 13.2+13.1 / libcryptopp
Comment 6 Swamp Workflow Management 2015-07-20 16:08:02 UTC 
openSUSE-SU-2015:1271-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 936435
CVE References: CVE-2015-2141
Sources used:
openSUSE 13.2 (src):    libcryptopp-5.6.2-7.4.1
openSUSE 13.1 (src):    libcryptopp-5.6.2-2.4.2