Advisories » MGASA-2016-0147

Updated libcryptopp packages fix CVE-2016-3995

Publication date: 25 Apr 2016
Modification date: 25 Apr 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3995

Description

Updated libcryptopp packages fix security vulnerability:

In libcryptopp, for both Rijndael::Enc::ProcessAndXorBlock and
Rijndael::Dec::ProcessAndXorBlock there is some code to avoid timing attacks,
however it is removed by the compiler due to optimizations, making the binary
vulnerable to timing attacks (CVE-2016-3995).

This update also corrects some bugs with the package.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18184
• https://lists.fedoraproject.org/pipermail/package-announce/2016-April/182297.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3995

SRPMS

5/core

• libcryptopp-5.6.3-1.1.mga5