Bugzilla – Bug 920057
VUL-1: CVE-2014-3591, CVE-2015-0837: libgcrypt, gpg: mitigations against side-channel attacks
Last modified: 2016-11-29 14:01:44 UTC
libgcrypt 1.6.3: http://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html GnuPG 1.4.19: http://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html >* Use ciphertext blinding for Elgamal decryption [CVE-2014-3591]. > See http://www.cs.tau.ac.il/~tromer/radioexp/ for details. > >* Fixed data-dependent timing variations in modular exponentiation > [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks > are Practical]. GnuPG 2.0.x (stable) got 2.0.27 GnuPG 2.1.x (modern) got 2.1.2 However these two are not directly affected but use libgcrypt.
Commits for CVE-2014-3591: libgcrypt master http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=410d70bad9a650e3837055e36f157894ae49a57d libgcrypt 1.6.x CVE-2014-3591 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d482948ac41768c36c5352a513fca8c50d2da4db libgcrypt 1.5.x CVE-2014-3591 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=35cd81f134c0da4e7e6fcfe40d270ee1251f52c2 GnuPG 1.4.x CVE-2014-3591 http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b
bugbot adjusting priority
SUSE-SU-2015:1179-1: An update that solves one vulnerability and has 9 fixes is now available. Category: security (moderate) Bug References: 896202,896435,898003,899524,900275,900276,905483,920057,928740,929919 CVE References: CVE-2014-3591 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libgcrypt-1.6.1-13.1 SUSE Linux Enterprise Server 12 (src): libgcrypt-1.6.1-13.1 SUSE Linux Enterprise Desktop 12 (src): libgcrypt-1.6.1-13.1
This is an autogenerated message for OBS integration: This bug (920057) was mentioned in https://build.opensuse.org/request/show/323128 13.2+13.1 / libgcrypt
openSUSE-SU-2015:1503-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 920057 CVE References: CVE-2014-3591,CVE-2015-0837 Sources used: openSUSE 13.2 (src): libgcrypt-1.6.1-8.6.1 openSUSE 13.1 (src): libgcrypt-1.5.4-2.8.1
SUSE-SU-2015:1511-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 920057,938343 CVE References: CVE-2015-0837 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libgcrypt-1.6.1-16.1 SUSE Linux Enterprise Server 12 (src): libgcrypt-1.6.1-16.1 SUSE Linux Enterprise Desktop 12 (src): libgcrypt-1.6.1-16.1
SUSE-SU-2015:1626-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 920057 CVE References: CVE-2014-3591,CVE-2015-0837 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Server 11-SP4 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Server 11-SP3 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Desktop 11-SP4 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Desktop 11-SP3 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libgcrypt-1.5.0-0.19.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libgcrypt-1.5.0-0.19.1
Vulnerability mentioned in: http://arstechnica.com/security/2015/09/storing-secret-crypto-keys-in-the-amazon-cloud-new-attack-can-steal-them/ https://eprint.iacr.org/2015/898.pdf
released I think.