Source: libcrypto++ Version: 8.6.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/weidai11/cryptopp/issues/1080 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for libcrypto++. Filling this bug mainly for tracking downstream the upstream issue (to date not yet answered upstream). CVE-2021-43398[0]: | Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in | MakePublicKey(). There is a clear correlation between execution time | and private key length, which may cause disclosure of the length | information of the private key. This might allow attackers to conduct | timing attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-43398 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43398 [1] https://github.com/weidai11/cryptopp/issues/1080 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
