[SECURITY] [DLA 600-1] libgcrypt11 security update

2016-08-2319:52:26

lists.debian.org

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

80.3%

JSON

Package : libgcrypt11
Version : 1.5.0-5+deb7u5
CVE ID : CVE-2016-6313

The crypto library libgcrypt11 has a weakness in the random number
generator.

CVE-2016-6313

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of
Technology found a bug in the mixing functions of Libgcrypt's random
number generator. An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output.

A first analysis on the impact of this bug in GnuPG shows that existing
RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely
that the private key can be predicted from other public information.

For Debian 7 "Wheezy", these problems have been fixed in version
1.5.0-5+deb7u5.

We recommend that you upgrade your libgcrypt11 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8mipslibgcrypt20-dev< 1.6.3-2+deb8u2libgcrypt20-dev_1.6.3-2+deb8u2_mips.deb
Debian8mipselgnupg-udeb< 1.4.18-7+deb8u2gnupg-udeb_1.4.18-7+deb8u2_mipsel.deb
Debian8armhflibgcrypt20-udeb< 1.6.3-2+deb8u2libgcrypt20-udeb_1.6.3-2+deb8u2_armhf.deb
Debian8mipsellibgcrypt20-dev< 1.6.3-2+deb8u2libgcrypt20-dev_1.6.3-2+deb8u2_mipsel.deb
Debian7armhfgnupg-curl< 1.4.12-7+deb7u8gnupg-curl_1.4.12-7+deb7u8_armhf.deb
Debian8armelgnupg-udeb< 1.4.18-7+deb8u2gnupg-udeb_1.4.18-7+deb8u2_armel.deb
Debian7alllibgcrypt11< 1.5.0-5+deb7u5libgcrypt11_1.5.0-5+deb7u5_all.deb
Debian8allgnupg< 1.4.18-7+deb8u2gnupg_1.4.18-7+deb8u2_all.deb
Debian8ppc64elgnupg-curl< 1.4.18-7+deb8u2gnupg-curl_1.4.18-7+deb8u2_ppc64el.deb
Debian8mipsgnupg< 1.4.18-7+deb8u2gnupg_1.4.18-7+deb8u2_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mips	libgcrypt20-dev	< 1.6.3-2+deb8u2	libgcrypt20-dev_1.6.3-2+deb8u2_mips.deb
Debian	8	mipsel	gnupg-udeb	< 1.4.18-7+deb8u2	gnupg-udeb_1.4.18-7+deb8u2_mipsel.deb
Debian	8	armhf	libgcrypt20-udeb	< 1.6.3-2+deb8u2	libgcrypt20-udeb_1.6.3-2+deb8u2_armhf.deb
Debian	8	mipsel	libgcrypt20-dev	< 1.6.3-2+deb8u2	libgcrypt20-dev_1.6.3-2+deb8u2_mipsel.deb
Debian	7	armhf	gnupg-curl	< 1.4.12-7+deb7u8	gnupg-curl_1.4.12-7+deb7u8_armhf.deb
Debian	8	armel	gnupg-udeb	< 1.4.18-7+deb8u2	gnupg-udeb_1.4.18-7+deb8u2_armel.deb
Debian	7	all	libgcrypt11	< 1.5.0-5+deb7u5	libgcrypt11_1.5.0-5+deb7u5_all.deb
Debian	8	all	gnupg	< 1.4.18-7+deb8u2	gnupg_1.4.18-7+deb8u2_all.deb
Debian	8	ppc64el	gnupg-curl	< 1.4.18-7+deb8u2	gnupg-curl_1.4.18-7+deb8u2_ppc64el.deb
Debian	8	mips	gnupg	< 1.4.18-7+deb8u2	gnupg_1.4.18-7+deb8u2_mips.deb