CVE-2015-2141 — libcrypto++ - security update

Description

The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack.

How to fix CVE-2015-2141

To remediate CVE-2015-2141, upgrade the affected package to a fixed version below.

Debian/libcrypto++—upgrade to 5.6.1-7 or later
Debian/libcrypto++—upgrade to 5.6.0-6+deb6u1 or later
Debian/libcrypto++—upgrade to 5.6.1-6+deb7u1 or later

Is CVE-2015-2141 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 5.6.1-7
from 0, < 5.6.0-6+deb6u1
from 0, < 5.6.1-6+deb7u1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-2141