Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 579750 (CVE-2016-3995) - <dev-libs/crypto++-3.6.4: bogus protection from timing attacks
Summary: <dev-libs/crypto++-3.6.4: bogus protection from timing attacks
Alias: CVE-2016-3995
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: 570416 611504
  Show dependency tree
Reported: 2016-04-12 14:47 UTC by Agostino Sarubbo
Modified: 2017-04-30 21:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-12 14:47:48 UTC
From ${URL} :

A vulnerability was found in cryptopp library. A counter measure against timing attack was 
incorrectly implemented.

External references:

References and CVE assignment:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2016-10-03 23:17:26 UTC
3.6.4 is in tree, but significant build changes, we need time to stabilize.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 16:56:32 UTC
v3.6.4 available in Gentoo repository since

@ Maintainer(s): Can we stabilize =dev-libs/crypto++-5.6.4-r4?
Comment 3 Alon Bar-Lev (RETIRED) gentoo-dev 2016-11-19 18:09:21 UTC
dev-libs/crypto++-5.6.5 is a candidate for stabilization, however, upstream changed and has a little knowledge about the downstream process, it added some breakages and continue to do so, example bug#597994. I am waiting for next version that includes some remedy.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 19:20:00 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2017-04-30 19:34:50 UTC
Already done :)
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-04-30 21:13:53 UTC
Thank you, just clearing the whiteboard. 

GLSA Vote: No