Arch Linux Security Advisory ASA-201912-3 ========================================= Severity: High Date : 2019-12-06 CVE-ID : CVE-2019-14318 Package : crypto++ Type : private key recovery Remote : Yes Link : https://security.archlinux.org/AVG-1046 Summary ======= The package crypto++ before version 8.2.0-2 is vulnerable to private key recovery. Resolution ========== Upgrade to 8.2.0-2. # pacman -Syu "crypto++>=8.2.0-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A vulnerability has been found in the ECDSA/EdDSA implementation of crypto++ up to 8.2.0, allowing for practical recovery of the long-term private key. Impact ====== An attacker might be able to recover long-term private key by measuring the duration of hundreds to thousands of signing operations of known messages. References ========== https://seclists.org/oss-sec/2019/q4/3 https://minerva.crocs.fi.muni.cz/ https://github.com/weidai11/cryptopp/issues/869 https://github.com/weidai11/cryptopp/pull/870/commits/80c59bcdb251043f27eef95a4f31224c4615c3ec https://github.com/weidai11/cryptopp/commit/c9ef9420e762 https://security.archlinux.org/CVE-2019-14318