libcryptopp-devel-8.6.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10933-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libcryptopp-devel-8.6.0-1.1 on GA media These are all security issues fixed in the libcryptopp-devel-8.6.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10933 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-14318/ SUSE CVE CVE-2019-14318 page https://www.suse.com/security/cve/CVE-2021-40530/ SUSE CVE CVE-2021-40530 page openSUSE Tumbleweed libcryptopp-devel-8.6.0-1.1 libcryptopp8_6_0-8.6.0-1.1 libcryptopp8_6_0-32bit-8.6.0-1.1 libcryptopp-devel-8.6.0-1.1 as a component of openSUSE Tumbleweed libcryptopp8_6_0-8.6.0-1.1 as a component of openSUSE Tumbleweed libcryptopp8_6_0-32bit-8.6.0-1.1 as a component of openSUSE Tumbleweed Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information. CVE-2019-14318 openSUSE Tumbleweed:libcryptopp-devel-8.6.0-1.1 openSUSE Tumbleweed:libcryptopp8_6_0-32bit-8.6.0-1.1 openSUSE Tumbleweed:libcryptopp8_6_0-8.6.0-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14318.html CVE-2019-14318 https://bugzilla.suse.com/1143532 SUSE Bug 1143532 https://bugzilla.suse.com/1145187 SUSE Bug 1145187 The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. CVE-2021-40530 openSUSE Tumbleweed:libcryptopp-devel-8.6.0-1.1 openSUSE Tumbleweed:libcryptopp8_6_0-32bit-8.6.0-1.1 openSUSE Tumbleweed:libcryptopp8_6_0-8.6.0-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-40530.html CVE-2021-40530 https://bugzilla.suse.com/1190243 SUSE Bug 1190243