AVG-18 log
Package | crypto++ |
Status | Fixed |
Severity | Medium |
Type | information disclosure |
Affected | 5.6.4-2 |
Fixed | 5.6.5-1 |
Current | 8.9.0-1 [extra] |
Ticket | FS#51331 |
Created | Mon Sep 19 17:33:25 2016 |
Issue | Severity | Remote | Type | Description |
---|---|---|---|---|
CVE-2016-7420 | Medium | No | Information disclosure | Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are... |
Date | Advisory | Package | Type |
---|---|---|---|
12 Oct 2016 | ASA-201610-8 | crypto++ | information disclosure |
References |
---|
https://github.com/weidai11/cryptopp/issues/277 http://www.openwall.com/lists/oss-security/2016/09/15/12 |
Notes |
---|
5.6.4-2: Apparently we weren't vulnerable in the first place, but this commit made us vulnerable two days after the disclosure: https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/crypto%2b%2b&id=fc4dd81f39589eeb5bdb927587c0fbd2b41d47df 5.6.5-1: Fixed in 5.6.5 because they replaced assert() with CRYPTOPP_ASSERT(), which is not enabled by default even if -DNDEBUG is not set. |