[SECURITY] [DSA 3185-1] libgcrypt11 security update

2015-03-1217:53:56

lists.debian.org

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

65.0%

JSON

Debian Security Advisory DSA-3185-1 [email protected]
http://www.debian.org/security/ Alessandro Ghedini
March 12, 2015 http://www.debian.org/security/faq

Package : libgcrypt11
CVE ID : CVE-2014-3591 CVE-2015-0837

Multiple vulnerabilities were discovered in libgcrypt:

CVE-2014-3591

The Elgamal decryption routine was susceptible to a side-channel
attack discovered by researchers of Tel Aviv University. Ciphertext
blinding was enabled to counteract it. Note that this may have a
quite noticeable impact on Elgamal decryption performance.

CVE-2015-0837

The modular exponentiation routine mpi_powm() was susceptible to a
side-channel attack caused by data-dependent timing variations when
accessing its internal pre-computed table.

For the stable distribution (wheezy), these problems have been fixed in
version 1.5.0-5+deb7u3.

We recommend that you upgrade your libgcrypt11 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian7powerpclibgcrypt11-dbg< 1.5.0-5+deb7u3libgcrypt11-dbg_1.5.0-5+deb7u3_powerpc.deb
Debian7s390gnupg-udeb< 1.4.12-7+deb7u7gnupg-udeb_1.4.12-7+deb7u7_s390.deb
Debian7s390xgnupg< 1.4.12-7+deb7u7gnupg_1.4.12-7+deb7u7_s390x.deb
Debian7kfreebsd-i386gpgv-udeb< 1.4.12-7+deb7u7gpgv-udeb_1.4.12-7+deb7u7_kfreebsd-i386.deb
Debian7mipsellibgcrypt11-dbg< 1.5.0-5+deb7u3libgcrypt11-dbg_1.5.0-5+deb7u3_mipsel.deb
Debian7kfreebsd-i386libgcrypt11-udeb< 1.5.0-5+deb7u3libgcrypt11-udeb_1.5.0-5+deb7u3_kfreebsd-i386.deb
Debian7s390xlibgcrypt11-dev< 1.5.0-5+deb7u3libgcrypt11-dev_1.5.0-5+deb7u3_s390x.deb
Debian7amd64libgcrypt11-dbg< 1.5.0-5+deb7u3libgcrypt11-dbg_1.5.0-5+deb7u3_amd64.deb
Debian7powerpcgpgv< 1.4.12-7+deb7u7gpgv_1.4.12-7+deb7u7_powerpc.deb
Debian7sparcgnupg-curl< 1.4.12-7+deb7u7gnupg-curl_1.4.12-7+deb7u7_sparc.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	powerpc	libgcrypt11-dbg	< 1.5.0-5+deb7u3	libgcrypt11-dbg_1.5.0-5+deb7u3_powerpc.deb
Debian	7	s390	gnupg-udeb	< 1.4.12-7+deb7u7	gnupg-udeb_1.4.12-7+deb7u7_s390.deb
Debian	7	s390x	gnupg	< 1.4.12-7+deb7u7	gnupg_1.4.12-7+deb7u7_s390x.deb
Debian	7	kfreebsd-i386	gpgv-udeb	< 1.4.12-7+deb7u7	gpgv-udeb_1.4.12-7+deb7u7_kfreebsd-i386.deb
Debian	7	mipsel	libgcrypt11-dbg	< 1.5.0-5+deb7u3	libgcrypt11-dbg_1.5.0-5+deb7u3_mipsel.deb
Debian	7	kfreebsd-i386	libgcrypt11-udeb	< 1.5.0-5+deb7u3	libgcrypt11-udeb_1.5.0-5+deb7u3_kfreebsd-i386.deb
Debian	7	s390x	libgcrypt11-dev	< 1.5.0-5+deb7u3	libgcrypt11-dev_1.5.0-5+deb7u3_s390x.deb
Debian	7	amd64	libgcrypt11-dbg	< 1.5.0-5+deb7u3	libgcrypt11-dbg_1.5.0-5+deb7u3_amd64.deb
Debian	7	powerpc	gpgv	< 1.4.12-7+deb7u7	gpgv_1.4.12-7+deb7u7_powerpc.deb
Debian	7	sparc	gnupg-curl	< 1.4.12-7+deb7u7	gnupg-curl_1.4.12-7+deb7u7_sparc.deb