First Last Prev Next    This bug is not in your last search results.
Bug 965902 - (CVE-2015-7511) VUL-0: CVE-2015-7511: libgcrypt: side-channel attack on ECDH with Weierstrass curves
(CVE-2015-7511)
VUL-0: CVE-2015-7511: libgcrypt: side-channel attack on ECDH with Weierstrass...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2015-7511:4.3:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-09 16:14 UTC by Andreas Stieger
Modified: 2016-08-17 20:19 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-02-09 16:14:23 UTC 
From https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html

>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>    details.

Fixed in 1.6.5

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=88e1358962e902ff1cbec8d53ba3eee46407851a

Note that there are other commits to the ECC code in the same release which need to be checked.

> Thanks to Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran
> Tromer.   http://www.cs.tau.ac.IL/~tromer/ecdh/
> 
> This could be an effective contermeasure to some chosen cipher text
> attacks.
Comment 1 Swamp Workflow Management 2016-02-09 23:01:24 UTC 
bugbot adjusting priority
Comment 6 Marcus Meissner 2016-02-10 13:30:14 UTC 
This issue does not affect SUSE Linux Enterprise 10, as the affected code is not present.
Comment 7 Swamp Workflow Management 2016-02-25 10:12:17 UTC 
openSUSE-SU-2016:0575-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 965902
CVE References: CVE-2015-7511
Sources used:
openSUSE 13.2 (src):    libgcrypt-1.6.1-8.13.1
Comment 10 Přemysl Janouch 2016-04-04 14:06:22 UTC 
I've had a look at the version in SLE 11 and it seems to be a considerably different codebase. In my opinion it's an utter waste of time trying to backport it there (agreeing here with Sebastian).

I've just submitted the backported fix for SLE 12.
Comment 11 Swamp Workflow Management 2016-04-18 11:08:43 UTC 
SUSE-SU-2016:1089-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 965902
CVE References: CVE-2015-7511
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libgcrypt-1.6.1-16.27.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libgcrypt-1.6.1-16.27.1
SUSE Linux Enterprise Server 12-SP1 (src):    libgcrypt-1.6.1-16.27.1
SUSE Linux Enterprise Server 12 (src):    libgcrypt-1.6.1-16.27.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libgcrypt-1.6.1-16.27.1
SUSE Linux Enterprise Desktop 12 (src):    libgcrypt-1.6.1-16.27.1
Comment 12 Swamp Workflow Management 2016-05-04 14:14:00 UTC 
openSUSE-SU-2016:1227-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 965902
CVE References: CVE-2015-7511
Sources used:
openSUSE Leap 42.1 (src):    libgcrypt-1.6.1-26.1
Comment 13 Marcus Meissner 2016-05-25 14:56:33 UTC 
released
First Last Prev Next    This bug is not in your last search results.