libgcrypt: Possible timing attack on EdDSA session key (CVE-2017-9526)
An attacker who learns the EdDSA session key from side-channel
observation during the signing process, can easily recover the
long-term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library.
Fixed In Version:
Curve Ed25519 signing and verification inplemented in 1.6.0 with
and following refactorings.
(from redmine: issue id 7431, created on 2017-06-15, closed on 2017-07-05)