Hi Everyone,
Crypto++ 8.4 was released today. The 8.4 release was a minor, unplanned release. There were no CVEs cleared and one memory error cleared. A recompile of programs is required due to an unintentional ABI break in Crypto++ 8.3.
The Crypto++ 8.4 release removed the defective code used in Elliptic Curves. The defective code was added at Crypto++ 8.3. That means the timing leak is present again, and CVE-2019-14318 is active again.
The release notes and list of issues fixed can be found at
http://www.cryptopp.com/release840.html. The 8.4.0 ZIP archive can be downloaded from
http://www.cryptopp.com/cryptopp840.zip. A GPG signature can be downloaded from
http://www.cryptopp.com/cryptopp840.zip.sig.
The checksums for the 8.4.0 ZIP archive are:
* SHA1: f964e176c4543593579a2f0ba48b6a79eb128001
* SHA256: c0f5e5cd2c693c8160e9c51666e95949a1c19fd4fe4fef874af2ec1e42757b9a
* SHA512: 4c32b6a9ce8a6925286185f65f7413fa1a430471f09624219656b1d088674c56f95fcc3b64f611632f12cb56dfecdcd41c9d1468942b8c391425a548245dde09
* BLAKE2b: de57ece8644aef68e40527e2dfe1892f924f1939617ce11d8d27253f15f2dd11cba6e594dd32f75ce799392c12ef22472fcb2f3e44b9c66bb2ae093d4c7e781e
* WHIRLPOOL: ac7ed4ec3ff948858abf0166c5430564ef72a0baf6d2b3857a8a5bcdb1cad944742f581b50613b5a1d39fc165edc965910927b2fce4a31a71ddb19bee87a6498
The 8.4.0 sources can be checked out from GitHub using the following. It is tagged as CRYPTOPP_8_4_0 at GitHub.
* git clone
http://github.com/weidai11/cryptopp.git cryptopp
There are 19 outstanding issues. Most of them are feature requests and enhancements.
Thanks to everyone who made it happen.
Jeff