Bugzilla – Bug 1042326
VUL-0: CVE-2017-9526: libgcrypt: timing attack on EdDSA session key
Last modified: 2023-04-06 15:24:51 UTC
Fixed in libgrcypt 1.7.7: An attacker who learns the EdDSA session key from side-channel observation during the signing process, can easily recover the long- term secret key. Storing the session key in secure memory ensures that constant time point operations are used in the MPI library. master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b 1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56
Packages submitted: openSUSE:Factory 1.7.6 sr#500599 openSUSE:Leap:42.2:Update Comes from SUSE:SLE-12:Update openSUSE:Leap:42.1:Update Comes from SUSE:SLE-12:GA SUSE:SLE-12:Update 1.6.1 mr#133581 SUSE:SLE-11-SP2:Update 1.5.0 Not affected SUSE:SLE-11:Update 1.4.1 Not affected SUSE:SLE-10-SP3:Update 1.2.2 Not affected
CVE requested via webform
*** Bug 1043777 has been marked as a duplicate of this bug. ***
This is CVE-2017-9526
SUSE-SU-2017:1608-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1042326,931932 CVE References: CVE-2017-9526 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libgcrypt-1.6.1-16.39.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libgcrypt-1.6.1-16.39.1 SUSE Linux Enterprise Server 12-SP2 (src): libgcrypt-1.6.1-16.39.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libgcrypt-1.6.1-16.39.1 OpenStack Cloud Magnum Orchestration 7 (src): libgcrypt-1.6.1-16.39.1
sle released. 42.2 released soon
openSUSE-SU-2017:1700-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1042326,931932 CVE References: CVE-2017-9526 Sources used: openSUSE Leap 42.2 (src): libgcrypt-1.6.1-34.3.1