Medium: libgcrypt

2015-08-04T17:43:00
ID ALAS-2015-577
Type amazon
Reporter Amazon
Modified 2015-08-04T17:43:00

Description

Issue Overview:

Fix a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak. (CVE-2015-0837 __)

Fix a side-channel attack which can potentially lead to an information leak. (CVE-2014-3591 __)

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576 __, which was fixed in ALAS-2014-278. (CVE-2014-5270 __)

Affected Packages:

libgcrypt

Issue Correction:
Run yum update libgcrypt to update your system.

New Packages:

i686:  
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686  
    libgcrypt-devel-1.5.3-12.18.amzn1.i686  
    libgcrypt-1.5.3-12.18.amzn1.i686

src:  
    libgcrypt-1.5.3-12.18.amzn1.src

x86_64:  
    libgcrypt-devel-1.5.3-12.18.amzn1.x86_64  
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64  
    libgcrypt-1.5.3-12.18.amzn1.x86_64