Date: Wed, 7 Dec 2016 00:30:49 +0000 (UTC) From: "Jason E. Hale" <jhale@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r428021 - head/security/vuxml Message-ID: <201612070030.uB70UnEQ058162@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhale Date: Wed Dec 7 00:30:49 2016 New Revision: 428021 URL: https://svnweb.freebsd.org/changeset/ports/428021 Log: Document vulnerabilities in security/cryptopp Security: CVE-2015-2141 Security: CVE-2016-3995 Security: CVE-2016-7420 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Dec 7 00:15:55 2016 (r428020) +++ head/security/vuxml/vuln.xml Wed Dec 7 00:30:49 2016 (r428021) @@ -58,6 +58,49 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="eab68cff-bc0c-11e6-b2ca-001b3856973b"> + <topic>cryptopp -- multiple vulnerabilities</topic> + <affects> + <package> + <name>cryptopp</name> + <range><lt>5.6.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Multiple sources report:</p> + <blockquote cite="https://eprint.iacr.org/2015/368">; + <p>CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function + in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key + operations for the Rabin-Williams digital signature algorithm, which + allows remote attackers to obtain private keys via a timing attack. + Fixed in 5.6.3.</p> + </blockquote> + <blockquote cite="https://github.com/weidai11/cryptopp/issues/146">; + <p>CVE-2016-3995: Incorrect implementation of Rijndael timing attack + countermeasure. Fixed in 5.6.4.</p> + </blockquote> + <blockquote cite="https://github.com/weidai11/cryptopp/issues/277">; + <p>CVE-2016-7420: Library built without -DNDEBUG could egress sensitive + information to the filesystem via a core dump if an assert was triggered. + Fixed in 5.6.5.</p> + </blockquote> + </body> + </description> + <references> + <url>https://eprint.iacr.org/2015/368</url>; + <url>https://github.com/weidai11/cryptopp/issues/146</url>; + <url>https://github.com/weidai11/cryptopp/issues/277</url>; + <cvename>CVE-2015-2141</cvename> + <cvename>CVE-2016-3995</cvename> + <cvename>CVE-2016-7420</cvename> + </references> + <dates> + <discovery>2015-02-27</discovery> + <entry>2016-12-06</entry> + </dates> + </vuln> + <vuln vid="e722e3c6-bbee-11e6-b1cf-14dae9d210b8"> <topic>FreeBSD -- bhyve(8) virtual machine escape</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612070030.uB70UnEQ058162>