ID OPENVAS:867209 Type openvas Reporter Copyright (C) 2013 Greenbone Networks GmbH Modified 2018-01-18T00:00:00
Description
Check for the Version of gnupg
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for gnupg FEDORA-2013-23678
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
if(description)
{
script_id(867209);
script_version("$Revision: 8456 $");
script_tag(name:"last_modification", value:"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $");
script_tag(name:"creation_date", value:"2013-12-30 12:25:04 +0530 (Mon, 30 Dec 2013)");
script_cve_id("CVE-2013-4576", "CVE-2013-4402", "CVE-2013-4351", "CVE-2013-4242");
script_tag(name:"cvss_base", value:"5.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_name("Fedora Update for gnupg FEDORA-2013-23678");
tag_insight = "GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and
creating digital signatures. GnuPG has advanced key management
capabilities and is compliant with the proposed OpenPGP Internet
standard described in RFC2440. Since GnuPG doesn't use any patented
algorithm, it is not compatible with any version of PGP2 (PGP2.x uses
only IDEA for symmetric-key encryption, which is patented worldwide).
";
tag_affected = "gnupg on Fedora 18";
tag_solution = "Please Install the Updated Packages.";
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name: "FEDORA", value: "2013-23678");
script_xref(name: "URL" , value: "https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html");
script_tag(name: "summary" , value: "Check for the Version of gnupg");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2013 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
exit(0);
}
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "FC18")
{
if ((res = isrpmvuln(pkg:"gnupg", rpm:"gnupg~1.4.16~2.fc18", rls:"FC18")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Fedora Local Security Checks", "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html", "2013-23678"], "description": "Check for the Version of gnupg", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "f246ecc3d56f85b4ae5e17313215c2c4"}, {"key": "cvss", "hash": "aa48a6bdcab91a600eca490863982fbd"}, {"key": "description", "hash": "0f8d318ecd5cda96c02be72832dead69"}, {"key": "href", "hash": "9d0e50d776c7f20e8eecb0c0b4295ec1"}, {"key": "modified", "hash": "2bd1a888d4d32830ca7e123d42f56c1e"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "edefdf583888956d1c9b53b073f1fdf5"}, {"key": "published", "hash": "cd65f662baff1fb85356630a87c09667"}, {"key": "references", "hash": "f663bec8cada350c1998f1bc7b311de5"}, {"key": "reporter", "hash": "eb0d3e4b46c4b283eb1ce082bbd5ff31"}, {"key": "sourceData", "hash": "a3407c5a17de22bc4b97400274eb06a7"}, {"key": "title", "hash": "a0922746830cb65d7e6ef7ee48b71a63"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=867209", "modified": "2018-01-18T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "id": "OPENVAS:867209", "title": "Fedora Update for gnupg FEDORA-2013-23678", "hash": "2ceca0861263a1627fdd47f1ae85822d4d5f61d84635d6f5376b0a158451187f", "edition": 3, "published": "2013-12-30T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:11:24", "bulletin": {"hash": "873a9970396fc4db0d98973c275b40e33fe0391cb46f60fe19e29c475a82ac28", "viewCount": 0, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html", "2013-23678"], "description": "Check for the Version of gnupg", "hashmap": [{"key": "description", "hash": "0f8d318ecd5cda96c02be72832dead69"}, {"key": "references", "hash": "f663bec8cada350c1998f1bc7b311de5"}, {"key": "sourceData", "hash": "eb3f0e10f4e68d7720970319c62bd0b7"}, {"key": "pluginID", "hash": "edefdf583888956d1c9b53b073f1fdf5"}, {"key": "published", "hash": "cd65f662baff1fb85356630a87c09667"}, {"key": "href", "hash": "9d0e50d776c7f20e8eecb0c0b4295ec1"}, {"key": "cvss", "hash": "aa48a6bdcab91a600eca490863982fbd"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "reporter", "hash": "eb0d3e4b46c4b283eb1ce082bbd5ff31"}, {"key": "modified", "hash": "2b34fbedebd1ef437819c862d331e480"}, {"key": "cvelist", "hash": "f246ecc3d56f85b4ae5e17313215c2c4"}, {"key": "title", "hash": "a0922746830cb65d7e6ef7ee48b71a63"}], "naslFamily": "Fedora Local Security Checks", "modified": "2016-03-17T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=867209", "published": "2013-12-30T00:00:00", "enchantments": {}, "id": "OPENVAS:867209", "title": "Fedora Update for gnupg FEDORA-2013-23678", "bulletinFamily": "scanner", "edition": 1, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23678\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867209);\n script_version(\"$Revision: 2882 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-03-17 15:39:13 +0100 (Thu, 17 Mar 2016) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 12:25:04 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23678\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23678\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html\");\n script_summary(\"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:fedoraproject:fedora\", \"login/SSH/success\", \"ssh/login/release\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "type": "openvas", "history": [], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "lastseen": "2017-07-02T21:11:24", "pluginID": "867209"}, "differentElements": ["modified", "sourceData"], "edition": 1}, {"lastseen": "2017-07-25T10:52:11", "bulletin": {"hash": "9ec22bccf9b046207fa23b162eed4e586f81c73c163b1794f87c4494370fdeb9", "viewCount": 0, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html", "2013-23678"], "description": "Check for the Version of gnupg", "hashmap": [{"key": "description", "hash": "0f8d318ecd5cda96c02be72832dead69"}, {"key": "references", "hash": "f663bec8cada350c1998f1bc7b311de5"}, {"key": "pluginID", "hash": "edefdf583888956d1c9b53b073f1fdf5"}, {"key": "published", "hash": "cd65f662baff1fb85356630a87c09667"}, {"key": "href", "hash": "9d0e50d776c7f20e8eecb0c0b4295ec1"}, {"key": "cvss", "hash": "aa48a6bdcab91a600eca490863982fbd"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "sourceData", "hash": "bd70529b322f3f597dedc830278d2b91"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "reporter", "hash": "eb0d3e4b46c4b283eb1ce082bbd5ff31"}, {"key": "cvelist", "hash": "f246ecc3d56f85b4ae5e17313215c2c4"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}, {"key": "title", "hash": "a0922746830cb65d7e6ef7ee48b71a63"}], "naslFamily": "Fedora Local Security Checks", "modified": "2017-07-10T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=867209", "published": "2013-12-30T00:00:00", "enchantments": {"score": {"value": 3.3, "modified": "2017-07-25T10:52:11"}}, "id": "OPENVAS:867209", "title": "Fedora Update for gnupg FEDORA-2013-23678", "bulletinFamily": "scanner", "edition": 2, "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23678\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867209);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 12:25:04 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23678\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23678\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html\");\n script_summary(\"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "type": "openvas", "history": [], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "lastseen": "2017-07-25T10:52:11", "pluginID": "867209"}, "differentElements": ["modified", "sourceData"], "edition": 2}], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "lastseen": "2018-01-18T11:09:39", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23678\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867209);\n script_version(\"$Revision: 8456 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 12:25:04 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23678\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23678\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "pluginID": "867209"}
{"cve": [{"lastseen": "2016-09-03T18:46:46", "references": ["http://lists.opensuse.org/opensuse-updates/2013-10/msg00003.html", "http://rhn.redhat.com/errata/RHSA-2013-1459.html", "http://www.debian.org/security/2013/dsa-2773", "http://www.debian.org/security/2013/dsa-2774", "https://bugzilla.redhat.com/show_bug.cgi?id=1010137", "http://ubuntu.com/usn/usn-1987-1", "http://www.openwall.com/lists/oss-security/2013/09/13/4", "http://thread.gmane.org/gmane.comp.encryption.gpg.devel/17712/focus=18138", "http://lists.opensuse.org/opensuse-updates/2013-10/msg00006.html"], "edition": 1, "description": "GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.", "reporter": "NVD", "published": "2013-10-09T20:55:15", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "title": "CVE-2013-4351", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-4351"], "scanner": [], "modified": "2014-01-03T23:48:39", "cpe": ["cpe:/a:gnupg:gnupg:1.4.12", "cpe:/a:gnupg:gnupg:1.4.4", "cpe:/a:gnupg:gnupg:1.4.5", "cpe:/a:gnupg:gnupg:2.0.10", "cpe:/a:gnupg:gnupg:2.0.18", "cpe:/a:gnupg:gnupg:2.0.8", "cpe:/a:gnupg:gnupg:2.0.3", "cpe:/a:gnupg:gnupg:2.0.4", "cpe:/a:gnupg:gnupg:2.0.13", "cpe:/a:gnupg:gnupg:2.0.12", "cpe:/a:gnupg:gnupg:2.0.5", "cpe:/a:gnupg:gnupg:2.0.7", "cpe:/a:gnupg:gnupg:2.0.1", "cpe:/a:gnupg:gnupg:2.0.14", "cpe:/a:gnupg:gnupg:1.4.11", "cpe:/a:gnupg:gnupg:1.4.13", "cpe:/a:gnupg:gnupg:1.4.10", "cpe:/a:gnupg:gnupg:2.0.19", "cpe:/a:gnupg:gnupg:1.4.0", "cpe:/a:gnupg:gnupg:1.4.2", "cpe:/a:gnupg:gnupg:2.0.16", "cpe:/a:gnupg:gnupg:1.4.8", "cpe:/a:gnupg:gnupg:1.4.6", "cpe:/a:gnupg:gnupg:2.1.0:beta1", "cpe:/a:gnupg:gnupg:2.0.15", "cpe:/a:gnupg:gnupg:1.4.3", "cpe:/a:gnupg:gnupg:2.0", "cpe:/a:gnupg:gnupg:2.0.11", "cpe:/a:gnupg:gnupg:2.0.6", "cpe:/a:gnupg:gnupg:2.0.17"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4351", "id": "CVE-2013-4351", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-08-29T10:47:53", "references": ["http://www.debian.org/security/2013/dsa-2821", "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846", "http://seclists.org/oss-sec/2013/q4/523", "http://www.securityfocus.com/bid/64424", "http://rhn.redhat.com/errata/RHSA-2014-0016.html", "http://www.securitytracker.com/id/1029513", "http://www.cs.tau.ac.il/~tromer/acoustic/", "http://www.ubuntu.com/usn/USN-2059-1", "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf", "http://seclists.org/oss-sec/2013/q4/520", "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"], "edition": 2, "description": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.", "reporter": "NVD", "published": "2013-12-20T16:55:06", "title": "CVE-2013-4576", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-4576"], "scanner": [], "cpe": ["cpe:/a:gnupg:gnupg:1.4.12", "cpe:/a:gnupg:gnupg:1.4.4", "cpe:/a:gnupg:gnupg:1.4.5", "cpe:/a:gnupg:gnupg:1.2.2", "cpe:/a:gnupg:gnupg:1.3.92", "cpe:/a:gnupg:gnupg:1.3.90", "cpe:/a:gnupg:gnupg:1.2.1", "cpe:/a:gnupg:gnupg:1.2.7", "cpe:/a:gnupg:gnupg:1.2.4", "cpe:/a:gnupg:gnupg:1.4.15", "cpe:/a:gnupg:gnupg:1.0.4:-:win32", "cpe:/a:gnupg:gnupg:1.2.1:windows", "cpe:/a:gnupg:gnupg:1.2.6", "cpe:/a:gnupg:gnupg:1.4", "cpe:/a:gnupg:gnupg:1.0.5:-:win32", "cpe:/a:gnupg:gnupg:1.0.1", "cpe:/a:gnupg:gnupg:1.0.4", "cpe:/a:gnupg:gnupg:1.4.14", "cpe:/a:gnupg:gnupg:1.3.2", "cpe:/a:gnupg:gnupg:1.0.2", "cpe:/a:gnupg:gnupg:1.3.93", "cpe:/a:gnupg:gnupg:1.4.11", "cpe:/a:gnupg:gnupg:1.4.13", "cpe:/a:gnupg:gnupg:1.4.10", "cpe:/a:gnupg:gnupg:1.4.0", "cpe:/a:gnupg:gnupg:1.0.0", "cpe:/a:gnupg:gnupg:1.3.3", "cpe:/a:gnupg:gnupg:1.4.2", "cpe:/a:gnupg:gnupg:1.3.91", "cpe:/a:gnupg:gnupg:1.2.5", "cpe:/a:gnupg:gnupg:1.4.8", "cpe:/a:gnupg:gnupg:1.4.6", "cpe:/a:gnupg:gnupg:1.0.6", "cpe:/a:gnupg:gnupg:1.0.3", "cpe:/a:gnupg:gnupg:1.0.5", "cpe:/a:gnupg:gnupg:1.0.7", "cpe:/a:gnupg:gnupg:1.3.0", "cpe:/a:gnupg:gnupg:1.3.6", "cpe:/a:gnupg:gnupg:1.3.4", "cpe:/a:gnupg:gnupg:1.4.3", "cpe:/a:gnupg:gnupg:1.3.1", "cpe:/a:gnupg:gnupg:1.2.0", "cpe:/a:gnupg:gnupg:1.2.3"], "modified": "2017-08-28T21:33:38", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4576", "id": "CVE-2013-4576", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-03T18:47:22", "references": ["http://lists.opensuse.org/opensuse-updates/2013-10/msg00020.html", "http://rhn.redhat.com/errata/RHSA-2013-1459.html", "http://www.debian.org/security/2013/dsa-2773", "http://www.debian.org/security/2013/dsa-2774", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000334.html", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000333.html", "http://lists.opensuse.org/opensuse-updates/2013-10/msg00025.html", "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725433", "http://www.ubuntu.com/usn/USN-1987-1", "https://bugzilla.redhat.com/show_bug.cgi?id=1015685"], "edition": 1, "description": "The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.", "reporter": "NVD", "published": "2013-10-28T18:55:03", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "cve", "title": "CVE-2013-4402", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-4402"], "scanner": [], "modified": "2014-01-03T23:48:47", "cpe": ["cpe:/a:gnupg:gnupg:1.4.12", "cpe:/a:gnupg:gnupg:1.4.4", "cpe:/a:gnupg:gnupg:1.4.5", "cpe:/a:gnupg:gnupg:2.0.10", "cpe:/a:gnupg:gnupg:2.0.18", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/a:gnupg:gnupg:2.0.13", "cpe:/a:gnupg:gnupg:2.0.12", "cpe:/a:gnupg:gnupg:1.4.14", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/a:gnupg:gnupg:2.0.1", "cpe:/a:gnupg:gnupg:2.0.14", "cpe:/a:gnupg:gnupg:1.4.11", "cpe:/a:gnupg:gnupg:1.4.13", "cpe:/a:gnupg:gnupg:1.4.10", "cpe:/a:gnupg:gnupg:2.0.19", "cpe:/a:gnupg:gnupg:1.4.0", "cpe:/a:gnupg:gnupg:1.4.2", "cpe:/a:gnupg:gnupg:2.0.16", "cpe:/o:canonical:ubuntu_linux:13.04", "cpe:/a:gnupg:gnupg:1.4.8", "cpe:/a:gnupg:gnupg:2.0.21", "cpe:/a:gnupg:gnupg:2.0.15", "cpe:/a:gnupg:gnupg:1.4.3", "cpe:/a:gnupg:gnupg:2.0", "cpe:/a:gnupg:gnupg:2.0.11", "cpe:/a:gnupg:gnupg:2.0.17", "cpe:/a:gnupg:gnupg:2.0.20", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402", "id": "CVE-2013-4402", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-18T15:53:59", "references": ["http://www.securityfocus.com/bid/61464", "http://www.ubuntu.com/usn/USN-1923-1", "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705", "http://www.kb.cert.org/vuls/id/976534", "http://rhn.redhat.com/errata/RHSA-2013-1457.html", "http://www.debian.org/security/2013/dsa-2731", "http://lists.opensuse.org/opensuse-updates/2013-08/msg00003.html", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html", "http://eprint.iacr.org/2013/448", "http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html", "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717880", "http://www.debian.org/security/2013/dsa-2730"], "edition": 2, "description": "GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.", "reporter": "NVD", "published": "2013-08-19T19:55:09", "title": "CVE-2013-4242", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-4242"], "scanner": [], "modified": "2016-12-07T22:03:31", "cpe": ["cpe:/a:gnupg:gnupg:0.9.2", "cpe:/a:gnupg:gnupg:0.9.3", "cpe:/a:gnupg:gnupg:1.4.12", "cpe:/o:debian:debian_linux:6.0", "cpe:/a:gnupg:gnupg:0.0.0:-", "cpe:/a:gnupg:gnupg:1.2.2", "cpe:/o:novell:opensuse:12.3", "cpe:/a:gnupg:gnupg:0.3.1", "cpe:/a:gnupg:gnupg:0.2.16", "cpe:/a:gnupg:gnupg:1.3.92", "cpe:/a:gnupg:gnupg:0.9.6", "cpe:/a:gnupg:gnupg:1.3.90", "cpe:/a:gnupg:gnupg:1.2.1", "cpe:/a:gnupg:gnupg:1.2.7", "cpe:/a:gnupg:gnupg:2.0.10", "cpe:/a:gnupg:gnupg:0.3.2", "cpe:/a:gnupg:gnupg:1.2.4", "cpe:/a:gnupg:gnupg:0.9.9", "cpe:/a:gnupg:gnupg:0.9.4", "cpe:/a:gnupg:gnupg:0.4.5", "cpe:/a:gnupg:gnupg:1.0.4:-:win32", "cpe:/a:gnupg:gnupg:1.2.1:windows", "cpe:/a:gnupg:gnupg:1.2.6", "cpe:/a:gnupg:gnupg:0.3.5", "cpe:/a:gnupg:gnupg:2.0.18", "cpe:/a:gnupg:gnupg:0.9.1", "cpe:/a:gnupg:gnupg:2.0.8", "cpe:/a:gnupg:libgcrypt:1.4.6", "cpe:/a:gnupg:gnupg:0.9.11", "cpe:/a:gnupg:gnupg:0.4.3", "cpe:/a:gnupg:gnupg:0.3.0", "cpe:/a:gnupg:gnupg:1.0.5:-:win32", "cpe:/a:gnupg:gnupg:2.0.3", "cpe:/a:gnupg:gnupg:0.2.15", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/a:gnupg:gnupg:1.0.1", "cpe:/a:gnupg:gnupg:0.9.0", "cpe:/a:gnupg:gnupg:2.0.4", "cpe:/a:gnupg:gnupg:2.0.13", "cpe:/a:gnupg:gnupg:0.9.8", "cpe:/a:gnupg:gnupg:2.0.12", "cpe:/a:gnupg:gnupg:1.0.4", "cpe:/a:gnupg:gnupg:2.0.5", "cpe:/a:gnupg:gnupg:0.4.0", "cpe:/a:gnupg:gnupg:0.9.5", "cpe:/a:gnupg:libgcrypt:1.5.0", "cpe:/a:gnupg:gnupg:2.0.7", "cpe:/a:gnupg:gnupg:0.4.4", "cpe:/a:gnupg:gnupg:0.2.18", "cpe:/a:gnupg:gnupg:0.9.7", "cpe:/a:gnupg:gnupg:0.3.4", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/a:gnupg:gnupg:1.3.2", "cpe:/a:gnupg:gnupg:1.0.2", "cpe:/a:gnupg:gnupg:1.3.93", "cpe:/a:gnupg:libgcrypt:1.4.3", "cpe:/a:gnupg:gnupg:2.0.1", "cpe:/a:gnupg:gnupg:2.0.14", "cpe:/a:gnupg:gnupg:1.4.11", "cpe:/a:gnupg:gnupg:1.4.13", "cpe:/a:gnupg:gnupg:1.4.10", "cpe:/a:gnupg:libgcrypt:1.4.0", "cpe:/a:gnupg:gnupg:2.0.19", "cpe:/a:gnupg:gnupg:1.4.0", "cpe:/a:gnupg:gnupg:1.0.0", "cpe:/a:gnupg:libgcrypt:1.5.1", "cpe:/a:gnupg:gnupg:1.3.3", "cpe:/a:gnupg:gnupg:2.0.16", "cpe:/a:gnupg:gnupg:0.2.19", "cpe:/o:canonical:ubuntu_linux:13.04", "cpe:/a:gnupg:gnupg:1.3.91", "cpe:/a:gnupg:gnupg:1.2.5", "cpe:/a:gnupg:gnupg:0.4.1", "cpe:/a:gnupg:gnupg:1.0.6", "cpe:/a:gnupg:gnupg:1.0.3", "cpe:/a:gnupg:gnupg:0.9.10", "cpe:/o:debian:debian_linux:7.0", "cpe:/a:gnupg:gnupg:1.0.5", "cpe:/a:gnupg:gnupg:2.0.15", "cpe:/a:gnupg:gnupg:1.0.7", "cpe:/a:gnupg:gnupg:1.3.0", "cpe:/a:gnupg:gnupg:1.3.6", "cpe:/a:gnupg:gnupg:1.3.4", "cpe:/a:gnupg:gnupg:1.3.1", "cpe:/a:gnupg:gnupg:1.2.0", "cpe:/a:gnupg:libgcrypt:1.5.2", "cpe:/a:gnupg:gnupg:2.0.11", "cpe:/a:gnupg:gnupg:2.0.6", "cpe:/a:gnupg:gnupg:0.3.3", "cpe:/a:gnupg:gnupg:1.2.3", "cpe:/a:gnupg:gnupg:2.0.17", "cpe:/a:gnupg:gnupg:0.2.17", "cpe:/a:gnupg:libgcrypt:1.4.5", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:novell:opensuse:12.2", "cpe:/a:gnupg:libgcrypt:1.4.4"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4242", "id": "CVE-2013-4242", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "f5": [{"lastseen": "2018-08-21T04:25:38", "references": [], "description": "\nF5 Product Development has assigned IDs 435442 and 600481 (BIG-IP), and ID 512014 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H40131068 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.1.0 | Low | GnuPG package \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP DNS | 12.0.0 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 | Low | GnuPG package \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP GTM | 11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP PSM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | >10.0.0 - 10.1.0 | Low | GnuPG package \nARX | 6.0.0 - 6.4.0 | None | Low | GnuPG package \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | GnuPG package \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Device | 4.2.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Security | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "reporter": "f5", "published": "2016-02-19T10:45:00", "title": "GnuPG vulnerability CVE-2013-4402", "type": "f5", "enchantments": {"score": {"modified": "2018-08-21T04:25:38", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4402"], "modified": "2018-08-21T02:53:00", "id": "F5:K40131068", "href": "https://support.f5.com/csp/article/K40131068", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-21T04:25:34", "references": [], "description": "\nF5 Product Development has assigned IDs 435442, 435439, and 600481 (BIG-IP), and ID 512014 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H75253136 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.1.0 | Low | GnuPG package \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP DNS | 12.0.0 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 | Low | GnuPG package \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP GTM | 11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP PSM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nARX | 6.0.0 - 6.4.0 | None | Low | GnuPG package \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | GnuPG package \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Device | 4.2.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Security | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "reporter": "f5", "published": "2016-02-19T11:08:00", "title": "GnuPG vulnerability CVE-2013-4242", "type": "f5", "enchantments": {"score": {"modified": "2018-08-21T04:25:34", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4242"], "modified": "2018-08-21T02:53:00", "id": "F5:K75253136", "href": "https://support.f5.com/csp/article/K75253136", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-20T22:25:02", "references": [], "description": "\nF5 Product Development has assigned ID 435442 (BIG-IP) and ID 512014 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H50413110 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.1.0 | Low | GnuPG package \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP DNS | 12.0.0 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 | Low | GnuPG package \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP GTM | 11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.4.1 \n10.2.0 - 10.2.4 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 \n10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP PSM | 12.0.0 \n11.3.0 - 11.4.1 | 14.0.0 \n13.0.0 - 13.1.1 \n12.1.0 - 12.1.3 \n11.5.0 - 11.6.3 | Low | GnuPG package \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.2.0 - 10.2.4 | 10.0.0 - 10.1.0 | Low | GnuPG package \nARX | 6.0.0 - 6.4.0 | None | Low | GnuPG package \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | GnuPG package \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Device | 4.2.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ Security | 4.0.0 - 4.3.0 | 4.4.0 - 4.5.0 | Low | GnuPG package \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability for BIG-IP systems, you should permit management access only over a secure network and limit shell access to only trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "edition": 1, "reporter": "f5", "published": "2016-02-19T10:52:00", "title": "GnuPG vulnerability CVE-2013-4351", "type": "f5", "enchantments": {"score": {"modified": "2018-08-20T22:25:02", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4351"], "modified": "2018-08-20T21:30:00", "id": "F5:K50413110", "href": "https://support.f5.com/csp/article/K50413110", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:11", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "reporter": "f5", "published": "2016-02-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL40131068 - GnuPG vulnerability CVE-2013-4402", "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP PSM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP APM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP AFM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP AAM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IQ Device", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.4.1", "operator": "le"}, {"name": "Enterprise Manager", "version": "3.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IQ Security", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PSM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP DNS", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP LTM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PEM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP GTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IQ Cloud", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "11.3.0", "operator": "le"}, {"name": "ARX", "version": "6.4.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP ASM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.4.1", "operator": "le"}], "cvelist": ["CVE-2013-4402"], "modified": "2016-07-08T00:00:00", "id": "SOL40131068", "href": "http://support.f5.com/kb/en-us/solutions/public/k/40/sol40131068.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:23:13", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended Action\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n", "reporter": "f5", "published": "2015-04-09T00:00:00", "title": "SOL16396 - GnuPG vulnerability CVE-2013-4576", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "ARX", "version": "6.4.0", "operator": "le"}], "cvelist": ["CVE-2013-4576"], "modified": "2015-04-09T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/300/sol16396.html", "id": "SOL16396", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-26T17:22:56", "references": ["https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html", "https://support.f5.com/kb/en-us/solutions/public/12000/700/sol12766.html", "https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability for BIG-IP systems, you should permit management access only over a secure network and limit shell access to only trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "reporter": "f5", "published": "2016-02-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL50413110 - GnuPG vulnerability CVE-2013-4351", "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP PSM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP AAM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP AFM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IQ Device", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP APM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.4.1", "operator": "le"}, {"name": "Enterprise Manager", "version": "3.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IQ Security", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PSM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PEM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP DNS", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP GTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP LTM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IQ Cloud", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "11.3.0", "operator": "le"}, {"name": "ARX", "version": "6.4.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP ASM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.4.1", "operator": "le"}], "cvelist": ["CVE-2013-4351"], "modified": "2016-03-25T00:00:00", "id": "SOL50413110", "href": "http://support.f5.com/kb/en-us/solutions/public/k/50/sol50413110.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-26T17:23:08", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "reporter": "f5", "published": "2016-02-19T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL75253136 - GnuPG vulnerability CVE-2013-4242", "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP PSM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP APM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP AFM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP AAM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IQ Device", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.4.1", "operator": "le"}, {"name": "Enterprise Manager", "version": "3.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IQ Security", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PSM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP DNS", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP LTM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PEM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP GTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IQ Cloud", "version": "4.3.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "11.3.0", "operator": "le"}, {"name": "ARX", "version": "6.4.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP ASM", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.4.1", "operator": "le"}], "cvelist": ["CVE-2013-4242"], "modified": "2016-07-08T00:00:00", "id": "SOL75253136", "href": "http://support.f5.com/kb/en-us/solutions/public/k/75/sol75253136.html", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2018-09-01T23:56:39", "references": ["2013-23615", "https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125330.html"], "pluginID": "1361412562310867200", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-30T00:00:00", "title": "Fedora Update for gnupg FEDORA-2013-23615", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867200", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867200", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23615\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867200\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 11:30:15 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23615\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23615\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125330.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-02-05T11:10:16", "references": ["2013-23615", "https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125330.html"], "pluginID": "867200", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for gnupg FEDORA-2013-23615", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-02-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867200", "id": "OPENVAS:867200", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23615\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867200);\n script_version(\"$Revision: 8650 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-03 13:16:59 +0100 (Sat, 03 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 11:30:15 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23615\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23615\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125330.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:57:54", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html", "2013-23678"], "pluginID": "1361412562310867209", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-30T00:00:00", "title": "Fedora Update for gnupg FEDORA-2013-23678", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4576", "CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867209", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867209", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-23678\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867209\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-30 12:25:04 +0530 (Mon, 30 Dec 2013)\");\n script_cve_id(\"CVE-2013-4576\", \"CVE-2013-4402\", \"CVE-2013-4351\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-23678\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-23678\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/125340.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.16~2.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:57:26", "references": ["2013-18647", "https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121715.html"], "pluginID": "1361412562310867062", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-11-18T00:00:00", "title": "Fedora Update for gnupg FEDORA-2013-18647", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867062", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867062", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-18647\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867062\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-18 13:22:10 +0530 (Mon, 18 Nov 2013)\");\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-18647\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-18647\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121715.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.15~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-24T11:10:23", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118834.html", "2013-18676"], "pluginID": "866987", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-10-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for gnupg FEDORA-2013-18676", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-01-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=866987", "id": "OPENVAS:866987", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-18676\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(866987);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 13:01:03 +0530 (Tue, 15 Oct 2013)\");\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-18676\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-18676\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118834.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.15~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:57:03", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118834.html", "2013-18676"], "pluginID": "1361412562310866987", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-10-15T00:00:00", "title": "Fedora Update for gnupg FEDORA-2013-18676", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310866987", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310866987", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-18676\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.866987\");\n script_version(\"$Revision: 9353 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-10-15 13:01:03 +0530 (Tue, 15 Oct 2013)\");\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-18676\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-18676\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-October/118834.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.15~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-22T13:09:57", "references": ["2013-18647", "https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121715.html"], "pluginID": "867062", "description": "Check for the Version of gnupg", "edition": 3, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-11-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for gnupg FEDORA-2013-18647", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-01-22T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867062", "id": "OPENVAS:867062", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for gnupg FEDORA-2013-18647\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867062);\n script_version(\"$Revision: 8483 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-22 07:58:04 +0100 (Mon, 22 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-18 13:22:10 +0530 (Mon, 18 Nov 2013)\");\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\", \"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for gnupg FEDORA-2013-18647\");\n\n tag_insight = \"GnuPG (GNU Privacy Guard) is a GNU utility for encrypting data and\ncreating digital signatures. GnuPG has advanced key management\ncapabilities and is compliant with the proposed OpenPGP Internet\nstandard described in RFC2440. Since GnuPG doesn't use any patented\nalgorithm, it is not compatible with any version of PGP2 (PGP2.x uses\nonly IDEA for symmetric-key encryption, which is patented worldwide).\n\";\n\n tag_affected = \"gnupg on Fedora 18\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-18647\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121715.html\");\n script_tag(name: \"summary\" , value: \"Check for the Version of gnupg\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnupg\", rpm:\"gnupg~1.4.15~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:46:21", "references": ["https://support.f5.com/kb/en-us/solutions/public/k/40/sol40131068.html?sr=51723047"], "pluginID": "1361412562310105558", "description": "The remote host is missing a security patch.", "edition": 3, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-02-23T00:00:00", "title": "F5 BIG-IP - SOL40131068 - GnuPG vulnerability CVE-2013-4402", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "F5 Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402"], "modified": "2017-03-29T00:00:00", "id": "OPENVAS:1361412562310105558", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105558", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_sol40131068.nasl 5759 2017-03-29 09:01:08Z teissa $\n#\n# F5 BIG-IP - SOL40131068 - GnuPG vulnerability CVE-2013-4402\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105558\");\n script_cve_id(\"CVE-2013-4402\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version (\"$Revision: 5759 $\");\n\n script_name(\"F5 BIG-IP - SOL40131068 - GnuPG vulnerability CVE-2013-4402\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/40/sol40131068.html?sr=51723047\");\n\n script_tag(name: \"impact\" , value:\"A remote attacker may exploit this flaw by way of a specially crafted OpenPGP message to cause a denial-of-service (DoS).\");\n\n script_tag(name: \"vuldetect\" , value:\"Check the version.\");\n\n script_tag(name: \"insight\" , value:\"The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.\");\n\n script_tag(name: \"solution\" , value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name: \"summary\" , value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-29 11:01:08 +0200 (Wed, 29 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-23 10:41:29 +0100 (Tue, 23 Feb 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\",\"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.1;');\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.0;11.4.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.1;');\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.1;');\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['GTM'] = make_array( 'affected', '11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:45:55", "references": ["https://support.f5.com/kb/en-us/solutions/public/k/50/sol50413110.html?sr=51723047"], "pluginID": "1361412562310105555", "description": "The remote host is missing a security patch.", "edition": 4, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-02-23T00:00:00", "title": "F5 BIG-IP - SOL50413110 - GnuPG vulnerability CVE-2013-4351", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "F5 Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4351"], "modified": "2018-01-31T00:00:00", "id": "OPENVAS:1361412562310105555", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105555", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_sol50413110.nasl 8592 2018-01-31 02:04:43Z ckuersteiner $\n#\n# F5 BIG-IP - SOL50413110 - GnuPG vulnerability CVE-2013-4351\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105555\");\n script_cve_id(\"CVE-2013-4351\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_version (\"$Revision: 8592 $\");\n\n script_name(\"F5 BIG-IP - SOL50413110 - GnuPG vulnerability CVE-2013-4351\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/50/sol50413110.html?sr=51723047\");\n\n script_tag(name: \"impact\" , value:\"A remote attacker may exploit this flaw to bypass the intended cryptographic protection mechanism.\");\n\n script_tag(name: \"vuldetect\" , value:\"Check the version.\");\n\n script_tag(name: \"insight\" , value:\"GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.\");\n\n script_tag(name: \"solution\" , value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name: \"summary\" , value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-31 03:04:43 +0100 (Wed, 31 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-23 10:33:41 +0100 (Tue, 23 Feb 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\",\"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AAM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.4.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AFM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AVR'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['APM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['ASM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['GTM'] = make_array( 'affected', '11.6.1-11.6.3;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['LC'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['PEM'] = make_array( 'affected', '13.0.0-13.1.0;12.0.0-12.1.3;11.6.1-11.6.3;12.0.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['PSM'] = make_array( 'affected', '11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:48:22", "references": ["https://support.f5.com/kb/en-us/solutions/public/k/75/sol75253136.html?sr=51723047"], "pluginID": "1361412562310105557", "description": "The remote host is missing a security patch.", "edition": 3, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-02-23T00:00:00", "title": "F5 BIG-IP - SOL75253136 - GnuPG vulnerability CVE-2013-4242", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "F5 Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242"], "modified": "2017-03-10T00:00:00", "id": "OPENVAS:1361412562310105557", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105557", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_sol75253136.nasl 5534 2017-03-10 10:00:33Z teissa $\n#\n# F5 BIG-IP - SOL75253136 - GnuPG vulnerability CVE-2013-4242\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105557\");\n script_cve_id(\"CVE-2013-4242\");\n script_tag(name:\"cvss_base\", value:\"1.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_version (\"$Revision: 5534 $\");\n\n script_name(\"F5 BIG-IP - SOL75253136 - GnuPG vulnerability CVE-2013-4242\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/75/sol75253136.html?sr=51723047\");\n\n script_tag(name: \"impact\" , value:\"Local user may obtain confidential information by exploiting this vulnerability\");\n\n script_tag(name: \"vuldetect\" , value:\"Check the version.\");\n\n script_tag(name: \"insight\" , value:\"GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.\");\n\n script_tag(name: \"solution\" , value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name: \"summary\" , value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-10 11:00:33 +0100 (Fri, 10 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-23 10:39:51 +0100 (Tue, 23 Feb 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\",\"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.0;11.4.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['GTM'] = make_array( 'affected', '11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.0;11.0.0-11.4.1;10.1.0-10.2.4;',\n 'unaffected', '11.5.0-11.6.0;');\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.0;11.3.0-11.4.1;',\n 'unaffected', '11.5.0-11.6.0;');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n\n", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-02T00:00:25", "references": ["http://www.nessus.org/u?e5b70aa4"], "pluginID": "70634", "description": "An updated gnupg package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which contains backported patches to correct these issues.", "edition": 5, "reporter": "Tenable", "published": "2013-10-27T00:00:00", "title": "CentOS 5 : gnupg (CESA-2013:1458)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2018-07-02T00:00:00", "cpe": ["p-cpe:/a:centos:centos:gnupg", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2013-1458.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70634", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1458 and \n# CentOS Errata and Security Advisory 2013:1458 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70634);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/02 18:48:53\");\n\n script_cve_id(\"CVE-2012-6085\", \"CVE-2013-4242\", \"CVE-2013-4351\", \"CVE-2013-4402\");\n script_bugtraq_id(57102, 61464, 62857, 62921);\n script_xref(name:\"RHSA\", value:\"2013:1458\");\n\n script_name(english:\"CentOS 5 : gnupg (CESA-2013:1458)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated gnupg package that fixes multiple security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP\nInternet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner\nflush+reload cache side-channel attack on the RSA secret exponent. An\nattacker able to execute a process on the logical CPU that shared the\nL3 cache with the GnuPG process (such as a different local user or a\nuser of a KVM guest running on the same host with the kernel same-page\nmerging functionality enabled) could possibly use this flaw to obtain\nportions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite\nloop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG\nkeyring database corrupted that keyring. An attacker could use this\nflaw to trick a local user into importing a specially crafted public\nkey into their keyring database, causing the keyring to be corrupted\nand preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a\nPGP key packet. GPG could accept a key for uses not indicated by its\nholder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the\nCVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the\noriginal reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2013-October/019991.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e5b70aa4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gnupg package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:48:14", "references": ["https://alas.aws.amazon.com/ALAS-2013-237.html"], "pluginID": "70899", "description": "GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.\n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.", "edition": 5, "reporter": "Tenable", "published": "2013-11-14T00:00:00", "title": "Amazon Linux AMI : gnupg2 (ALAS-2013-237)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:gnupg2-debuginfo", "p-cpe:/a:amazon:linux:gnupg2-smime", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:gnupg2"], "id": "ALA_ALAS-2013-237.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70899", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-237.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70899);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\");\n script_xref(name:\"ALAS\", value:\"2013-237\");\n\n script_name(english:\"Amazon Linux AMI : gnupg2 (ALAS-2013-237)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all\nbits cleared (no usage permitted) as if it has all bits set (all usage\npermitted), which might allow remote attackers to bypass intended\ncryptographic protection mechanisms by leveraging the subkey.\n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x\nbefore 2.0.22 allows remote attackers to cause a denial of service\n(infinite recursion) via a crafted OpenPGP message.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-237.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update gnupg2' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnupg2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnupg2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnupg2-smime\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"gnupg2-2.0.22-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnupg2-debuginfo-2.0.22-1.24.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnupg2-smime-2.0.22-1.24.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg2 / gnupg2-debuginfo / gnupg2-smime\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:52:08", "references": ["http://www.nessus.org/u?73c2b5c7", "http://www.nessus.org/u?beac7603", "http://www.nessus.org/u?b5f8def1"], "pluginID": "80627", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. (CVE-2013-4351)\n\n - The compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. (CVE-2013-4402)", "edition": 4, "reporter": "Tenable", "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : gnupg (cve_2013_4351_cryptographic_issues)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Solaris Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2015-01-19T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.2", "p-cpe:/a:oracle:solaris:gnupg"], "id": "SOLARIS11_GNUPG_20140731.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80627", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80627);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2015/01/19 15:17:51 $\");\n\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : gnupg (cve_2013_4351_cryptographic_issues)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags\n subpacket with all bits cleared (no usage permitted) as\n if it has all bits set (all usage permitted), which\n might allow remote attackers to bypass intended\n cryptographic protection mechanisms by leveraging the\n subkey. (CVE-2013-4351)\n\n - The compressed packet parser in GnuPG 1.4.x before\n 1.4.15 and 2.0.x before 2.0.22 allows remote attackers\n to cause a denial of service (infinite recursion) via a\n crafted OpenPGP message. (CVE-2013-4402)\"\n );\n # http://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b5f8def1\"\n );\n # https://blogs.oracle.com/sunsecurity/entry/cve_2013_4351_cryptographic_issues\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?beac7603\"\n );\n # https://blogs.oracle.com/sunsecurity/entry/cve_2013_4402_input_validation\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73c2b5c7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:gnupg\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^gnupg$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.2.0.0.0.0\", sru:\"11.2 SRU 0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : gnupg\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"gnupg\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-02T00:01:09", "references": ["http://www.nessus.org/u?41bc4ea9"], "pluginID": "70604", "description": "It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351)", "edition": 4, "reporter": "Tenable", "published": "2013-10-25T00:00:00", "title": "Scientific Linux Security Update : gnupg on SL5.x i386/x86_64", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2013-10-25T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20131024_GNUPG_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70604", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70604);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2013/10/25 10:45:51 $\");\n\n script_cve_id(\"CVE-2012-6085\", \"CVE-2013-4242\", \"CVE-2013-4351\", \"CVE-2013-4402\");\n\n script_name(english:\"Scientific Linux Security Update : gnupg on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was found that GnuPG was vulnerable to the Yarom/Falkner\nflush+reload cache side-channel attack on the RSA secret exponent. An\nattacker able to execute a process on the logical CPU that shared the\nL3 cache with the GnuPG process (such as a different local user or a\nuser of a KVM guest running on the same host with the kernel same-page\nmerging functionality enabled) could possibly use this flaw to obtain\nportions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite\nloop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG\nkeyring database corrupted that keyring. An attacker could use this\nflaw to trick a local user into importing a specially crafted public\nkey into their keyring database, causing the keyring to be corrupted\nand preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a\nPGP key packet. GPG could accept a key for uses not indicated by its\nholder. (CVE-2013-4351)\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1310&L=scientific-linux-errata&T=0&P=2760\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?41bc4ea9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnupg and / or gnupg-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"gnupg-debuginfo-1.4.5-18.el5_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:05:41", "references": ["http://www.nessus.org/u?d26194bc", "https://bugzilla.redhat.com/show_bug.cgi?id=1010137", "https://bugzilla.redhat.com/show_bug.cgi?id=1015685"], "pluginID": "70861", "description": "- CVE-2013-4351\n\n - CVE-2013-4402\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-11-13T00:00:00", "title": "Fedora 18 : gnupg-1.4.15-1.fc18 (2013-18647)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:gnupg"], "id": "FEDORA_2013-18647.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70861", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-18647.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70861);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:37:38 $\");\n\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\");\n script_bugtraq_id(62857, 62921);\n script_xref(name:\"FEDORA\", value:\"2013-18647\");\n\n script_name(english:\"Fedora 18 : gnupg-1.4.15-1.fc18 (2013-18647)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - CVE-2013-4351\n\n - CVE-2013-4402\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1010137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1015685\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-November/121715.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d26194bc\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gnupg package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"gnupg-1.4.15-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:50:54", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=840510", "http://support.novell.com/security/cve/CVE-2013-4402.html", "https://bugzilla.novell.com/show_bug.cgi?id=844175", "http://support.novell.com/security/cve/CVE-2013-4351.html"], "pluginID": "70631", "description": "This GnuPG update fixes two security issues :\n\n - GnuPG treated no-usage-permitted keys as all-usages-permitted. (CVE-2013-4351)\n\n - An infinite recursion in the compressed packet parser was fixed. (CVE-2013-4402)", "edition": 4, "reporter": "Tenable", "published": "2013-10-25T00:00:00", "title": "SuSE 11.2 / 11.3 Security Update : gpg2 (SAT Patch Numbers 8426 / 8427)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:gpg2", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:gpg2-lang"], "id": "SUSE_11_GPG2-131008.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70631", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70631);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2013/10/25 23:59:45 $\");\n\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\");\n\n script_name(english:\"SuSE 11.2 / 11.3 Security Update : gpg2 (SAT Patch Numbers 8426 / 8427)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This GnuPG update fixes two security issues :\n\n - GnuPG treated no-usage-permitted keys as\n all-usages-permitted. (CVE-2013-4351)\n\n - An infinite recursion in the compressed packet parser\n was fixed. (CVE-2013-4402)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=840510\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=844175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-4351.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-4402.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 8426 / 8427 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:gpg2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:gpg2-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"gpg2-2.0.9-25.33.37.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"gpg2-lang-2.0.9-25.33.37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-02T00:00:10", "references": ["https://alas.aws.amazon.com/ALAS-2013-236.html"], "pluginID": "70898", "description": "GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey.\n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message.", "edition": 5, "reporter": "Tenable", "published": "2013-11-14T00:00:00", "title": "Amazon Linux AMI : gnupg (ALAS-2013-236)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2018-04-18T00:00:00", "cpe": ["cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:gnupg-debuginfo", "p-cpe:/a:amazon:linux:gnupg"], "id": "ALA_ALAS-2013-236.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-236.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70898);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-4351\", \"CVE-2013-4402\");\n script_xref(name:\"ALAS\", value:\"2013-236\");\n\n script_name(english:\"Amazon Linux AMI : gnupg (ALAS-2013-236)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all\nbits cleared (no usage permitted) as if it has all bits set (all usage\npermitted), which might allow remote attackers to bypass intended\ncryptographic protection mechanisms by leveraging the subkey.\n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x\nbefore 2.0.22 allows remote attackers to cause a denial of service\n(infinite recursion) via a crafted OpenPGP message.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-236.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update gnupg' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:gnupg-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"gnupg-1.4.15-1.21.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"gnupg-debuginfo-1.4.15-1.21.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg / gnupg-debuginfo\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-02T00:09:54", "references": ["https://oss.oracle.com/pipermail/el-errata/2013-October/003761.html"], "pluginID": "70597", "description": "From Red Hat Security Advisory 2013:1458 :\n\nAn updated gnupg package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which contains backported patches to correct these issues.", "edition": 5, "reporter": "Tenable", "published": "2013-10-25T00:00:00", "title": "Oracle Linux 5 : gnupg (ELSA-2013-1458)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2018-07-18T00:00:00", "cpe": ["cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:gnupg"], "id": "ORACLELINUX_ELSA-2013-1458.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70597", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:1458 and \n# Oracle Linux Security Advisory ELSA-2013-1458 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70597);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/18 17:43:57\");\n\n script_cve_id(\"CVE-2012-6085\", \"CVE-2013-4242\", \"CVE-2013-4351\", \"CVE-2013-4402\");\n script_bugtraq_id(57102, 61464, 62857, 62921);\n script_xref(name:\"RHSA\", value:\"2013:1458\");\n\n script_name(english:\"Oracle Linux 5 : gnupg (ELSA-2013-1458)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:1458 :\n\nAn updated gnupg package that fixes multiple security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP\nInternet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner\nflush+reload cache side-channel attack on the RSA secret exponent. An\nattacker able to execute a process on the logical CPU that shared the\nL3 cache with the GnuPG process (such as a different local user or a\nuser of a KVM guest running on the same host with the kernel same-page\nmerging functionality enabled) could possibly use this flaw to obtain\nportions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite\nloop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG\nkeyring database corrupted that keyring. An attacker could use this\nflaw to trick a local user into importing a specially crafted public\nkey into their keyring database, causing the keyring to be corrupted\nand preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a\nPGP key packet. GPG could accept a key for uses not indicated by its\nholder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the\nCVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the\noriginal reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-October/003761.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gnupg package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:56:56", "references": ["https://security.gentoo.org/glsa/201402-24", "https://eprint.iacr.org/2013/448"], "pluginID": "72638", "description": "The remote host is affected by the vulnerability described in GLSA-201402-24 (GnuPG, Libgcrypt: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n An unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running GnuPG, cause a Denial of Service condition, or bypass security restrictions. Additionally, a side-channel attack may allow a local attacker to recover a private key, please review “Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack” in the References section for further details.\n Workaround :\n\n There is no known workaround at this time.", "edition": 6, "reporter": "Tenable", "published": "2014-02-23T00:00:00", "title": "GLSA-201402-24 : GnuPG, Libgcrypt: Multiple vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2018-07-12T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:gnupg", "p-cpe:/a:gentoo:linux:libgcrypt"], "id": "GENTOO_GLSA-201402-24.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72638", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201402-24.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72638);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/12 19:01:15\");\n\n script_cve_id(\"CVE-2012-6085\", \"CVE-2013-4242\", \"CVE-2013-4351\", \"CVE-2013-4402\");\n script_bugtraq_id(57102, 61464, 62857, 62921);\n script_xref(name:\"GLSA\", value:\"201402-24\");\n\n script_name(english:\"GLSA-201402-24 : GnuPG, Libgcrypt: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201402-24\n(GnuPG, Libgcrypt: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n An unauthenticated remote attacker may be able to execute arbitrary code\n with the privileges of the user running GnuPG, cause a Denial of Service\n condition, or bypass security restrictions. Additionally, a side-channel\n attack may allow a local attacker to recover a private key, please review\n “Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel\n Attack” in the References section for further details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://eprint.iacr.org/2013/448\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201402-24\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All GnuPG 2.0 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-crypt/gnupg-2.0.22'\n All GnuPG 1.4 users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-crypt/gnupg-1.4.16'\n All Libgcrypt users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=dev-libs/libgcrypt-1.5.3'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:libgcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-libs/libgcrypt\", unaffected:make_list(\"ge 1.5.3\"), vulnerable:make_list(\"lt 1.5.3\"))) flag++;\nif (qpkg_check(package:\"app-crypt/gnupg\", unaffected:make_list(\"ge 2.0.22\", \"rge 1.4.16\", \"rge 1.4.17\", \"rge 1.4.18\", \"rge 1.4.19\", \"rge 1.4.20\", \"rge 1.4.21\"), vulnerable:make_list(\"lt 2.0.22\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"GnuPG / Libgcrypt\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-12T09:52:20", "references": ["https://www.redhat.com/security/data/cve/CVE-2013-4402.html", "https://www.redhat.com/security/data/cve/CVE-2012-6085.html", "https://www.redhat.com/security/data/cve/CVE-2013-4351.html", "https://www.redhat.com/security/data/cve/CVE-2013-4242.html", "http://rhn.redhat.com/errata/RHSA-2013-1458.html"], "pluginID": "70601", "description": "An updated gnupg package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain compressed OpenPGP packets. An attacker could use this flaw to send specially crafted input data to GnuPG, making GnuPG enter an infinite loop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring database corrupted that keyring. An attacker could use this flaw to trick a local user into importing a specially crafted public key into their keyring database, causing the keyring to be corrupted and preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP key packet. GPG could accept a key for uses not indicated by its holder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which contains backported patches to correct these issues.", "edition": 7, "reporter": "Tenable", "published": "2013-10-25T00:00:00", "title": "RHEL 5 : gnupg (RHSA-2013:1458)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2018-09-10T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:gnupg", "p-cpe:/a:redhat:enterprise_linux:gnupg-debuginfo"], "id": "REDHAT-RHSA-2013-1458.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70601", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1458. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70601);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/09/10 11:37:05\");\n\n script_cve_id(\"CVE-2012-6085\", \"CVE-2013-4242\", \"CVE-2013-4351\", \"CVE-2013-4402\");\n script_bugtraq_id(57102, 61464, 62857, 62921);\n script_xref(name:\"RHSA\", value:\"2013:1458\");\n\n script_name(english:\"RHEL 5 : gnupg (RHSA-2013:1458)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated gnupg package that fixes multiple security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP\nInternet standard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner\nflush+reload cache side-channel attack on the RSA secret exponent. An\nattacker able to execute a process on the logical CPU that shared the\nL3 cache with the GnuPG process (such as a different local user or a\nuser of a KVM guest running on the same host with the kernel same-page\nmerging functionality enabled) could possibly use this flaw to obtain\nportions of the RSA secret key. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite\nloop when parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG\nkeyring database corrupted that keyring. An attacker could use this\nflaw to trick a local user into importing a specially crafted public\nkey into their keyring database, causing the keyring to be corrupted\nand preventing its further use. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a\nPGP key packet. GPG could accept a key for uses not indicated by its\nholder. (CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the\nCVE-2013-4402 issue. Upstream acknowledges Taylor R Campbell as the\noriginal reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2013-1458.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2012-6085.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4351.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4242.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2013-4402.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected gnupg and / or gnupg-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:gnupg-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1458\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"gnupg-1.4.5-18.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"gnupg-debuginfo-1.4.5-18.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"gnupg-debuginfo-1.4.5-18.el5_10\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"gnupg-debuginfo-1.4.5-18.el5_10\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gnupg / gnupg-debuginfo\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:25:04", "references": ["https://rhn.redhat.com/errata/RHSA-2013-1458.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "x86_64", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "i386", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "any", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.src.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2013:1458\n\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload\ncache side-channel attack on the RSA secret exponent. An attacker able to\nexecute a process on the logical CPU that shared the L3 cache with the\nGnuPG process (such as a different local user or a user of a KVM guest\nrunning on the same host with the kernel same-page merging functionality\nenabled) could possibly use this flaw to obtain portions of the RSA secret\nkey. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite loop\nwhen parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring\ndatabase corrupted that keyring. An attacker could use this flaw to trick a\nlocal user into importing a specially crafted public key into their keyring\ndatabase, causing the keyring to be corrupted and preventing its further\nuse. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP\nkey packet. GPG could accept a key for uses not indicated by its holder.\n(CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402\nissue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019991.html\n\n**Affected packages:**\ngnupg\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1458.html", "edition": 1, "reporter": "CentOS Project", "published": "2013-10-25T14:00:34", "title": "gnupg security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2013-10-25T14:00:34", "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019991.html", "id": "CESA-2013:1458", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-10-03T18:26:17", "references": ["https://rhn.redhat.com/errata/RHSA-2013-1459.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "packageFilename": "gnupg2-2.0.10-6.el5_10.x86_64.rpm", "packageName": "gnupg2", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "packageFilename": "gnupg2-2.0.14-6.el6_4.i686.rpm", "packageName": "gnupg2", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm", "packageName": "gnupg2-smime", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "packageFilename": "gnupg2-2.0.14-6.el6_4.src.rpm", "packageName": "gnupg2", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.i686.rpm", "packageName": "gnupg2-smime", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "packageFilename": "gnupg2-2.0.10-6.el5_10.src.rpm", "packageName": "gnupg2", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "packageFilename": "gnupg2-2.0.10-6.el5_10.i386.rpm", "packageName": "gnupg2", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "packageFilename": "gnupg2-2.0.14-6.el6_4.x86_64.rpm", "packageName": "gnupg2", "arch": "x86_64", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2013:1459\n\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite loop\nwhen parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring\ndatabase corrupted that keyring. An attacker could use this flaw to trick a\nlocal user into importing a specially crafted public key into their keyring\ndatabase, causing the keyring to be corrupted and preventing its further\nuse. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP\nkey packet. GPG could accept a key for uses not indicated by its holder.\n(CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402\nissue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg2 users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019989.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019990.html\n\n**Affected packages:**\ngnupg2\ngnupg2-smime\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1459.html", "edition": 1, "reporter": "CentOS Project", "published": "2013-10-24T16:06:44", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "title": "gnupg2 security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2013-10-25T13:57:55", "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019989.html", "id": "CESA-2013:1459", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-10-03T18:24:46", "references": ["https://rhn.redhat.com/errata/RHSA-2013-1457.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "any", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "any", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.src.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2013:1457\n\n\nThe libgcrypt library provides general-purpose implementations of various\ncryptographic algorithms.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload\ncache side-channel attack on the RSA secret exponent. An attacker able to\nexecute a process on the logical CPU that shared the L3 cache with the\nGnuPG process (such as a different local user or a user of a KVM guest\nrunning on the same host with the kernel same-page merging functionality\nenabled) could possibly use this flaw to obtain portions of the RSA secret\nkey. (CVE-2013-4242)\n\nAll libgcrypt users are advised to upgrade to this updated package, which\ncontains a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019988.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-October/019992.html\n\n**Affected packages:**\nlibgcrypt\nlibgcrypt-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1457.html", "edition": 1, "reporter": "CentOS Project", "published": "2013-10-24T16:06:22", "title": "libgcrypt security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-10-25T14:03:32", "href": "http://lists.centos.org/pipermail/centos-announce/2013-October/019988.html", "id": "CESA-2013:1457", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-10-03T18:26:05", "references": ["https://rhn.redhat.com/errata/RHSA-2014-0016.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageFilename": "gnupg-1.4.5-18.el5_10.1.src.rpm", "packageName": "gnupg", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageFilename": "gnupg-1.4.5-18.el5_10.1.x86_64.rpm", "packageName": "gnupg", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageFilename": "gnupg-1.4.5-18.el5_10.1.i386.rpm", "packageName": "gnupg", "arch": "i386", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2014:0016\n\n\nThe GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to side-channel attacks via acoustic\ncryptanalysis. An attacker in close range to a target system that is\ndecrypting ciphertexts could possibly use this flaw to recover the RSA\nsecret key from that system. (CVE-2013-4576)\n\nRed Hat would like to thank Werner Koch of GnuPG upstream for reporting\nthis issue. Upstream acknowledges Genkin, Shamir, and Tromer as the\noriginal reporters.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains a backported patch to correct this issue.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-January/020101.html\n\n**Affected packages:**\ngnupg\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0016.html", "edition": 1, "reporter": "CentOS Project", "published": "2014-01-08T22:53:33", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "gnupg security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2014-01-08T22:53:33", "href": "http://lists.centos.org/pipermail/centos-announce/2014-January/020101.html", "id": "CESA-2014:0016", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:24", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6085", "https://bugs.gentoo.org/show_bug.cgi?id=484836", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242", "https://bugs.gentoo.org/show_bug.cgi?id=449546", "https://bugs.gentoo.org/show_bug.cgi?id=487230", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4402", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4351", "https://bugs.gentoo.org/show_bug.cgi?id=478184", "https://bugs.gentoo.org/show_bug.cgi?id=494658", "http://eprint.iacr.org/2013/448"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.0.22", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "app-crypt/gnupg", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.5.3", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "dev-libs/libgcrypt", "operator": "lt"}], "edition": 1, "description": "### Background\n\nThe GNU Privacy Guard, GnuPG, is a free replacement for the PGP suite of cryptographic software. Libgcrypt is a cryptographic library based on GnuPG. \n\n### Description\n\nMultiple vulnerabilities have been discovered in GnuPG and Libgcrypt. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nAn unauthenticated remote attacker may be able to execute arbitrary code with the privileges of the user running GnuPG, cause a Denial of Service condition, or bypass security restrictions. Additionally, a side-channel attack may allow a local attacker to recover a private key, please review \u201cFlush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack\u201d in the References section for further details. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll GnuPG 2.0 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/gnupg-2.0.22\"\n \n\nAll GnuPG 1.4 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-crypt/gnupg-1.4.16\"\n \n\nAll Libgcrypt users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/libgcrypt-1.5.3\"", "reporter": "Gentoo Foundation", "published": "2014-02-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "GnuPG, Libgcrypt: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2016-08-24T00:00:00", "id": "GLSA-201402-24", "href": "https://security.gentoo.org/glsa/201402-24", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "redhat": [{"lastseen": "2017-09-09T07:20:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "i386", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.i386.rpm", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "x86_64", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.x86_64.rpm", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "i386", "packageFilename": "gnupg-1.4.5-18.el5_10.i386.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "x86_64", "packageFilename": "gnupg-1.4.5-18.el5_10.x86_64.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "ppc", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.ppc.rpm", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "s390x", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.s390x.rpm", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "ppc", "packageFilename": "gnupg-1.4.5-18.el5_10.ppc.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "s390x", "packageFilename": "gnupg-1.4.5-18.el5_10.s390x.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "ia64", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.ia64.rpm", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "ia64", "packageFilename": "gnupg-1.4.5-18.el5_10.ia64.rpm", "packageName": "gnupg", "operator": "lt"}], "description": "The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload\ncache side-channel attack on the RSA secret exponent. An attacker able to\nexecute a process on the logical CPU that shared the L3 cache with the\nGnuPG process (such as a different local user or a user of a KVM guest\nrunning on the same host with the kernel same-page merging functionality\nenabled) could possibly use this flaw to obtain portions of the RSA secret\nkey. (CVE-2013-4242)\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite loop\nwhen parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring\ndatabase corrupted that keyring. An attacker could use this flaw to trick a\nlocal user into importing a specially crafted public key into their keyring\ndatabase, causing the keyring to be corrupted and preventing its further\nuse. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP\nkey packet. GPG could accept a key for uses not indicated by its holder.\n(CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402\nissue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n", "reporter": "RedHat", "published": "2013-10-24T04:00:00", "type": "redhat", "title": "(RHSA-2013:1458) Moderate: gnupg security update", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-6085", "CVE-2013-4242", "CVE-2013-4351", "CVE-2013-4402"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T12:13:40", "id": "RHSA-2013:1458", "href": "https://access.redhat.com/errata/RHSA-2013:1458", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-06-06T18:04:22", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "x86_64", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.10-6.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "src", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "i386", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.10-6.el5_10.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "i386", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "x86_64", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "ppc", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.10-6.el5_10.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "ppc", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "s390x", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.10-6.el5_10.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "s390x", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "ia64", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.10-6.el5_10.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "ia64", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.10-6.el5_10.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "i686", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.14-6.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "src", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.14-6.el6_4.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "x86_64", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.14-6.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "i686", "packageName": "gnupg2-smime", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "x86_64", "packageName": "gnupg2-smime", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "i686", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.14-6.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "x86_64", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.14-6.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "ppc64", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.14-6.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "ppc64", "packageName": "gnupg2-smime", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "ppc64", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.14-6.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "s390x", "packageName": "gnupg2-debuginfo", "packageFilename": "gnupg2-debuginfo-2.0.14-6.el6_4.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "s390x", "packageName": "gnupg2-smime", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "s390x", "packageName": "gnupg2", "packageFilename": "gnupg2-2.0.14-6.el6_4.s390x.rpm", "operator": "lt"}], "description": "The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nA denial of service flaw was found in the way GnuPG parsed certain\ncompressed OpenPGP packets. An attacker could use this flaw to send\nspecially crafted input data to GnuPG, making GnuPG enter an infinite loop\nwhen parsing data. (CVE-2013-4402)\n\nIt was found that importing a corrupted public key into a GnuPG keyring\ndatabase corrupted that keyring. An attacker could use this flaw to trick a\nlocal user into importing a specially crafted public key into their keyring\ndatabase, causing the keyring to be corrupted and preventing its further\nuse. (CVE-2012-6085)\n\nIt was found that GnuPG did not properly interpret the key flags in a PGP\nkey packet. GPG could accept a key for uses not indicated by its holder.\n(CVE-2013-4351)\n\nRed Hat would like to thank Werner Koch for reporting the CVE-2013-4402\nissue. Upstream acknowledges Taylor R Campbell as the original reporter.\n\nAll gnupg2 users are advised to upgrade to this updated package, which\ncontains backported patches to correct these issues.\n", "reporter": "RedHat", "published": "2013-10-24T04:00:00", "type": "redhat", "title": "(RHSA-2013:1459) Moderate: gnupg2 security update", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-6085", "CVE-2013-4351", "CVE-2013-4402"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:18", "id": "RHSA-2013:1459", "href": "https://access.redhat.com/errata/RHSA-2013:1459", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-09T07:19:28", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg-debuginfo", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.1.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.src.rpm", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg-debuginfo", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg-debuginfo", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.1.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg-debuginfo", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg-debuginfo", "packageFilename": "gnupg-debuginfo-1.4.5-18.el5_10.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "packageName": "gnupg", "packageFilename": "gnupg-1.4.5-18.el5_10.1.ia64.rpm", "arch": "ia64", "operator": "lt"}], "description": "The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and\ncreating digital signatures, compliant with the proposed OpenPGP Internet\nstandard and the S/MIME standard.\n\nIt was found that GnuPG was vulnerable to side-channel attacks via acoustic\ncryptanalysis. An attacker in close range to a target system that is\ndecrypting ciphertexts could possibly use this flaw to recover the RSA\nsecret key from that system. (CVE-2013-4576)\n\nRed Hat would like to thank Werner Koch of GnuPG upstream for reporting\nthis issue. Upstream acknowledges Genkin, Shamir, and Tromer as the\noriginal reporters.\n\nAll gnupg users are advised to upgrade to this updated package, which\ncontains a backported patch to correct this issue.\n", "reporter": "RedHat", "published": "2014-01-08T05:00:00", "type": "redhat", "title": "(RHSA-2014:0016) Moderate: gnupg security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T11:55:55", "id": "RHSA-2014:0016", "href": "https://access.redhat.com/errata/RHSA-2014:0016", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-06-12T21:09:37", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "src", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc64", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ppc64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390x", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390x", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "s390x", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ia64", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.4-7.el5_10.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ia64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ia64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.4-7.el5_10.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "src", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc64", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc64", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "ppc64", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390x", "packageName": "libgcrypt-debuginfo", "packageFilename": "libgcrypt-debuginfo-1.4.5-11.el6_4.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390x", "packageName": "libgcrypt", "packageFilename": "libgcrypt-1.4.5-11.el6_4.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "s390x", "packageName": "libgcrypt-devel", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.s390x.rpm", "operator": "lt"}], "description": "The libgcrypt library provides general-purpose implementations of various\ncryptographic algorithms.\n\nIt was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload\ncache side-channel attack on the RSA secret exponent. An attacker able to\nexecute a process on the logical CPU that shared the L3 cache with the\nGnuPG process (such as a different local user or a user of a KVM guest\nrunning on the same host with the kernel same-page merging functionality\nenabled) could possibly use this flaw to obtain portions of the RSA secret\nkey. (CVE-2013-4242)\n\nAll libgcrypt users are advised to upgrade to this updated package, which\ncontains a backported patch to correct this issue.\n", "reporter": "RedHat", "published": "2013-10-24T04:00:00", "type": "redhat", "title": "(RHSA-2013:1457) Moderate: libgcrypt security update", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:16", "id": "RHSA-2013:1457", "href": "https://access.redhat.com/errata/RHSA-2013:1457", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-06-13T00:00:49", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.5-20131115.0.3.2.el6_5", "arch": "noarch", "packageName": "rhev-hypervisor6", "packageFilename": "rhev-hypervisor6-6.5-20131115.0.3.2.el6_5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.5-20131115.0.3.2.el6_5", "arch": "src", "packageName": "rhev-hypervisor6", "packageFilename": "rhev-hypervisor6-6.5-20131115.0.3.2.el6_5.src.rpm", "operator": "lt"}], "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nUpgrade Note: If you upgrade the Red Hat Enterprise Virtualization\nHypervisor through the 3.2 Manager administration portal, the Host may\nappear with the status of \"Install Failed\". If this happens, place the host\ninto maintenance mode, then activate it again to get the host back to an\n\"Up\" state.\n\nA buffer overflow flaw was found in the way QEMU processed the SCSI \"REPORT\nLUNS\" command when more than 256 LUNs were specified for a single SCSI\ntarget. A privileged guest user could use this flaw to corrupt QEMU process\nmemory on the host, which could potentially result in arbitrary code\nexecution on the host with the privileges of the QEMU process.\n(CVE-2013-4344)\n\nMultiple flaws were found in the way Linux kernel handled HID (Human\nInterface Device) reports. An attacker with physical access to the system\ncould use this flaw to crash the system or, potentially, escalate their\nprivileges on the system. (CVE-2013-2888, CVE-2013-2889, CVE-2013-2892)\n\nA flaw was found in the way the Python SSL module handled X.509 certificate\nfields that contain a NULL byte. An attacker could potentially exploit this\nflaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that\nto exploit this issue, an attacker would need to obtain a carefully crafted\ncertificate signed by an authority that the client trusts. (CVE-2013-4238)\n\nThe default OpenSSH configuration made it easy for remote attackers to\nexhaust unauthorized connection slots and prevent other users from being\nable to log in to a system. This flaw has been addressed by enabling random\nearly connection drops by setting MaxStartups to 10:30:100 by default.\nFor more information, refer to the sshd_config(5) man page. (CVE-2010-5107)\n\nThe CVE-2013-4344 issue was discovered by Asias He of Red Hat.\n\nThis updated package provides updated components that include fixes for\nvarious security issues. These issues have no security impact on Red Hat\nEnterprise Virtualization Hypervisor itself, however. The security fixes\nincluded in this update address the following CVE numbers:\n\nCVE-2012-0786 and CVE-2012-0787 (augeas issues)\n\nCVE-2013-1813 (busybox issue)\n\nCVE-2013-0221, CVE-2013-0222, and CVE-2013-0223 (coreutils issues)\n\nCVE-2012-4453 (dracut issue)\n\nCVE-2013-4332, CVE-2013-0242, and CVE-2013-1914 (glibc issues)\n\nCVE-2013-4387, CVE-2013-0343, CVE-2013-4345, CVE-2013-4591, CVE-2013-4592,\nCVE-2012-6542, CVE-2013-3231, CVE-2013-1929, CVE-2012-6545, CVE-2013-1928,\nCVE-2013-2164, CVE-2013-2234, and CVE-2013-2851 (kernel issues)\n\nCVE-2013-4242 (libgcrypt issue)\n\nCVE-2013-4419 (libguestfs issue)\n\nCVE-2013-1775, CVE-2013-2776, and CVE-2013-2777 (sudo issues)\n\nThis update also fixes the following bug:\n\n* A previous version of the rhev-hypervisor6 package did not contain the\nlatest vhostmd package, which provides a \"metrics communication channel\"\nbetween a host and its hosted virtual machines, allowing limited\nintrospection of host resource usage from within virtual machines. This has\nbeen fixed, and rhev-hypervisor6 now includes the latest vhostmd package.\n(BZ#1026703)\n\nThis update also contains the fixes from the following errata:\n\n* ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1528.html\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which corrects these issues.\n", "reporter": "RedHat", "published": "2013-11-21T05:00:00", "type": "redhat", "title": "(RHSA-2013:1527) Important: rhev-hypervisor6 security and bug fix update", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-5107", "CVE-2012-0786", "CVE-2012-0787", "CVE-2012-4453", "CVE-2012-6542", "CVE-2012-6545", "CVE-2013-0221", "CVE-2013-0222", "CVE-2013-0223", "CVE-2013-0242", "CVE-2013-0343", "CVE-2013-1775", "CVE-2013-1813", "CVE-2013-1914", "CVE-2013-1928", "CVE-2013-1929", "CVE-2013-2164", "CVE-2013-2234", "CVE-2013-2776", "CVE-2013-2777", "CVE-2013-2851", "CVE-2013-2888", "CVE-2013-2889", "CVE-2013-2892", "CVE-2013-3231", "CVE-2013-4238", "CVE-2013-4242", "CVE-2013-4332", "CVE-2013-4344", "CVE-2013-4345", "CVE-2013-4387", "CVE-2013-4419", "CVE-2013-4591", "CVE-2013-4592"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T08:59:39", "id": "RHSA-2013:1527", "href": "https://access.redhat.com/errata/RHSA-2013:1527", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:37:57", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "x86_64", "packageFilename": "gnupg-1.4.5-18.el5_10.x86_64.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "ia64", "packageFilename": "gnupg-1.4.5-18.el5_10.ia64.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10", "arch": "i386", "packageFilename": "gnupg-1.4.5-18.el5_10.i386.rpm", "packageName": "gnupg", "operator": "lt"}], "description": "[1.4.5-18]\n- fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted\n[1.4.5-17]\n- fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation\n- fix CVE-2013-4242 GnuPG susceptible to Yarom/Falkner side-channel attack\n- fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser\n[1.4.5-15]\n- fix error when decrypting certain files (#510500)", "edition": 3, "reporter": "Oracle", "published": "2013-10-24T00:00:00", "title": "gnupg security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242", "CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2013-10-24T00:00:00", "id": "ELSA-2013-1458", "href": "http://linux.oracle.com/errata/ELSA-2013-1458.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:39:16", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "i386", "packageFilename": "gnupg2-2.0.10-6.el5_10.i386.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "i686", "packageFilename": "gnupg2-2.0.14-6.el6_4.i686.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "ia64", "packageFilename": "gnupg2-2.0.10-6.el5_10.ia64.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "x86_64", "packageFilename": "gnupg2-2.0.14-6.el6_4.x86_64.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "x86_64", "packageFilename": "gnupg2-2.0.10-6.el5_10.x86_64.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "src", "packageFilename": "gnupg2-2.0.14-6.el6_4.src.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "src", "packageFilename": "gnupg2-2.0.14-6.el6_4.src.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "src", "packageFilename": "gnupg2-2.0.10-6.el5_10.src.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "src", "packageFilename": "gnupg2-2.0.10-6.el5_10.src.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "2.0.10-6.el5_10", "arch": "src", "packageFilename": "gnupg2-2.0.10-6.el5_10.src.rpm", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "x86_64", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.x86_64.rpm", "packageName": "gnupg2-smime", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.0.14-6.el6_4", "arch": "i686", "packageFilename": "gnupg2-smime-2.0.14-6.el6_4.i686.rpm", "packageName": "gnupg2-smime", "operator": "lt"}], "description": "[2.0.14-6]\n- fix CVE-2013-4351 gpg treats no-usage-permitted keys as all-usages-permitted\n[2.0.14-5]\n- fix CVE-2012-6085 GnuPG: read_block() corrupt key input validation\n- fix CVE-2013-4402 GnuPG: infinite recursion in the compressed packet parser", "edition": 3, "reporter": "Oracle", "published": "2013-10-24T00:00:00", "title": "gnupg2 security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351", "CVE-2012-6085"], "modified": "2013-10-24T00:00:00", "id": "ELSA-2013-1459", "href": "http://linux.oracle.com/errata/ELSA-2013-1459.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:47:58", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.1.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.1.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "src", "packageFilename": "gnupg-1.4.5-18.el5_10.1.src.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "ia64", "packageFilename": "gnupg-1.4.5-18.el5_10.1.ia64.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "x86_64", "packageFilename": "gnupg-1.4.5-18.el5_10.1.x86_64.rpm", "packageName": "gnupg", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.5-18.el5_10.1", "arch": "i386", "packageFilename": "gnupg-1.4.5-18.el5_10.1.i386.rpm", "packageName": "gnupg", "operator": "lt"}], "description": "[1.4.5-18.1]\n- fix CVE-2013-4576 acoustic side channel attack on RSA private keys", "edition": 3, "reporter": "Oracle", "published": "2014-01-08T00:00:00", "title": "gnupg security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2014-01-08T00:00:00", "id": "ELSA-2014-0016", "href": "http://linux.oracle.com/errata/ELSA-2014-0016.html", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:46:28", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageFilename": "libgcrypt-1.4.4-7.el5_10.x86_64.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ia64", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.ia64.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "src", "packageFilename": "libgcrypt-1.4.4-7.el5_10.src.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "src", "packageFilename": "libgcrypt-1.4.4-7.el5_10.src.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "src", "packageFilename": "libgcrypt-1.4.4-7.el5_10.src.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "src", "packageFilename": "libgcrypt-1.4.5-11.el6_4.src.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "src", "packageFilename": "libgcrypt-1.4.5-11.el6_4.src.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageFilename": "libgcrypt-1.4.5-11.el6_4.x86_64.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.i686.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.i686.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageFilename": "libgcrypt-1.4.5-11.el6_4.i686.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "i686", "packageFilename": "libgcrypt-1.4.5-11.el6_4.i686.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.i386.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.i386.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "ia64", "packageFilename": "libgcrypt-1.4.4-7.el5_10.ia64.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "i386", "packageFilename": "libgcrypt-1.4.4-7.el5_10.i386.rpm", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.4.5-11.el6_4", "arch": "x86_64", "packageFilename": "libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "5", "packageVersion": "1.4.4-7.el5_10", "arch": "x86_64", "packageFilename": "libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm", "packageName": "libgcrypt-devel", "operator": "lt"}], "description": "[1.4.5-11]\n- fix CVE-2013-4242 GnuPG/libgcrypt susceptible to cache side-channel attack\n[1.4.5-10]\n- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command", "edition": 3, "reporter": "Oracle", "published": "2013-10-24T00:00:00", "title": "libgcrypt security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-10-24T00:00:00", "id": "ELSA-2013-1457", "href": "http://linux.oracle.com/errata/ELSA-2013-1457.html", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "debian": [{"lastseen": "2016-09-02T18:25:21", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "1.4.10-4+squeeze3", "arch": "all", "packageFilename": "gnupg_1.4.10-4+squeeze3_all.deb", "packageName": "gnupg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u2", "arch": "all", "packageFilename": "gnupg-curl_1.4.12-7+deb7u2_all.deb", "packageName": "gnupg-curl", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u2", "arch": "all", "packageFilename": "gnupg_1.4.12-7+deb7u2_all.deb", "packageName": "gnupg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u2", "arch": "all", "packageFilename": "gpgv-win32_1.4.12-7+deb7u2_all.deb", "packageName": "gpgv-win32", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u2", "arch": "all", "packageFilename": "gpgv_1.4.12-7+deb7u2_all.deb", "packageName": "gpgv", "operator": "lt"}], "description": "Two vulnerabilities were discovered in GnuPG, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2013-4351](<https://security-tracker.debian.org/tracker/CVE-2013-4351>)\n\nWhen a key or subkey had its key flags subpacket set to all bits off, GnuPG currently would treat the key as having all bits set. That is, where the owner wanted to indicate no use permitted, GnuPG would interpret it as all use permitted. Such no use permitted keys are rare and only used in very special circumstances.\n\n * [CVE-2013-4402](<https://security-tracker.debian.org/tracker/CVE-2013-4402>)\n\nInfinite recursion in the compressed packet parser was possible with crafted input data, which may be used to cause a denial of service.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in version 1.4.10-4+squeeze3.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.4.12-7+deb7u2.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.4.15-1.\n\nWe recommend that you upgrade your gnupg packages.", "edition": 1, "reporter": "Debian", "published": "2013-10-10T00:00:00", "title": "gnupg -- several vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-10T00:00:00", "id": "DSA-2773", "href": "http://www.debian.org/security/dsa-2773", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-02T18:19:08", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "2.0.19-2+deb7u1", "packageFilename": "scdaemon_2.0.19-2+deb7u1_all.deb", "packageName": "scdaemon", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "2.0.19-2+deb7u1", "packageFilename": "gnupg2_2.0.19-2+deb7u1_all.deb", "packageName": "gnupg2", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "2.0.19-2+deb7u1", "packageFilename": "gpgsm_2.0.19-2+deb7u1_all.deb", "packageName": "gpgsm", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "2.0.14-2+squeeze2", "packageFilename": "gnupg2_2.0.14-2+squeeze2_all.deb", "packageName": "gnupg2", "arch": "all", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "2.0.19-2+deb7u1", "packageFilename": "gnupg-agent_2.0.19-2+deb7u1_all.deb", "packageName": "gnupg-agent", "arch": "all", "operator": "lt"}], "description": "Two vulnerabilities were discovered in GnuPG 2, the GNU privacy guard, a free PGP replacement. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2013-4351](<https://security-tracker.debian.org/tracker/CVE-2013-4351>)\n\nWhen a key or subkey had its key flags subpacket set to all bits off, GnuPG currently would treat the key as having all bits set. That is, where the owner wanted to indicate no use permitted, GnuPG would interpret it as all use permitted. Such no use permitted keys are rare and only used in very special circumstances.\n\n * [CVE-2013-4402](<https://security-tracker.debian.org/tracker/CVE-2013-4402>)\n\nInfinite recursion in the compressed packet parser was possible with crafted input data, which may be used to cause a denial of service.\n\nFor the oldstable distribution (squeeze), these problems have been fixed in version 2.0.14-2+squeeze2.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 2.0.19-2+deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 2.0.22-1.\n\nWe recommend that you upgrade your gnupg2 packages.", "edition": 1, "reporter": "Debian", "published": "2013-10-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "gnupg2 -- several vulnerabilities", "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-10T00:00:00", "id": "DSA-2774", "href": "http://www.debian.org/security/dsa-2774", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-02T18:27:56", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u3", "packageName": "gnupg-curl", "arch": "all", "packageFilename": "gnupg-curl_1.4.12-7+deb7u3_all.deb", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "1.4.10-4+squeeze4", "packageName": "gnupg", "arch": "all", "packageFilename": "gnupg_1.4.10-4+squeeze4_all.deb", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u3", "packageName": "gnupg", "arch": "all", "packageFilename": "gnupg_1.4.12-7+deb7u3_all.deb", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u3", "packageName": "gpgv-win32", "arch": "all", "packageFilename": "gpgv-win32_1.4.12-7+deb7u3_all.deb", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u3", "packageName": "gpgv", "arch": "all", "packageFilename": "gpgv_1.4.12-7+deb7u3_all.deb", "operator": "lt"}], "edition": 1, "description": "Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 1.4.10-4+squeeze4.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u3.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.4.15-3.\n\nWe recommend that you upgrade your gnupg packages.", "reporter": "Debian", "published": "2013-12-18T00:00:00", "title": "gnupg -- side channel attack", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2013-12-18T00:00:00", "href": "http://www.debian.org/security/dsa-2821", "id": "DSA-2821", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-02T18:30:13", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.5.0-5+deb7u1", "arch": "all", "packageFilename": "libgcrypt11-dev_1.5.0-5+deb7u1_all.deb", "packageName": "libgcrypt11-dev", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.5.0-5+deb7u1", "arch": "all", "packageFilename": "libgcrypt11-doc_1.5.0-5+deb7u1_all.deb", "packageName": "libgcrypt11-doc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.5.0-5+deb7u1", "arch": "all", "packageFilename": "libgcrypt11_1.5.0-5+deb7u1_all.deb", "packageName": "libgcrypt11", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.5.0-5+deb7u1", "arch": "all", "packageFilename": "libgcrypt11-dbg_1.5.0-5+deb7u1_all.deb", "packageName": "libgcrypt11-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "1.4.5-2+squeeze1", "arch": "all", "packageFilename": "libgcrypt11_1.4.5-2+squeeze1_all.deb", "packageName": "libgcrypt11", "operator": "lt"}], "description": "Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 1.4.5-2+squeeze1.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.5.0-5+deb7u1.\n\nFor the testing distribution (jessie) and unstable distribution (sid), this problem has been fixed in version 1.5.3-1.\n\nWe recommend that you upgrade your libgcrypt11 packages.", "edition": 1, "reporter": "Debian", "published": "2013-07-29T00:00:00", "title": "libgcrypt11 -- information leak", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-07-29T00:00:00", "id": "DSA-2731", "href": "http://www.debian.org/security/dsa-2731", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-02T18:33:15", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u1", "arch": "all", "packageFilename": "gpgv_1.4.12-7+deb7u1_all.deb", "packageName": "gpgv", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u1", "arch": "all", "packageFilename": "gnupg-curl_1.4.12-7+deb7u1_all.deb", "packageName": "gnupg-curl", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "6", "packageVersion": "1.4.10-4+squeeze2", "arch": "all", "packageFilename": "gnupg_1.4.10-4+squeeze2_all.deb", "packageName": "gnupg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u1", "arch": "all", "packageFilename": "gnupg_1.4.12-7+deb7u1_all.deb", "packageName": "gnupg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "7", "packageVersion": "1.4.12-7+deb7u1", "arch": "all", "packageFilename": "gpgv-win32_1.4.12-7+deb7u1_all.deb", "packageName": "gpgv-win32", "operator": "lt"}], "description": "Yarom and Falkner discovered that RSA secret keys could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system.\n\nThis update fixes this issue for the 1.4 series of GnuPG. GnuPG 2.x is affected through its use of the libgcrypt11 library, a fix for which will be published in DSA 2731.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 1.4.10-4+squeeze2.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 1.4.14-1.\n\nWe recommend that you upgrade your gnupg packages.", "edition": 1, "reporter": "Debian", "published": "2013-07-29T00:00:00", "title": "gnupg -- information leak", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-07-29T00:00:00", "id": "DSA-2730", "href": "http://www.debian.org/security/dsa-2730", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:53", "references": ["https://vulners.com/securityvulns/securityvulns:doc:29930"], "description": "Protection bypass, DoS.", "edition": 1, "reporter": "BUGTRAQ", "published": "2013-10-12T00:00:00", "title": "GnuPG security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:53", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "GnuPG", "version": "2.1", "operator": "eq"}], "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-12T00:00:00", "id": "SECURITYVULNS:VULN:13360", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13360", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:49", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2013:247\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : gnupg\r\n Date : October 10, 2013\r\n Affected: Business Server 1.0, Enterprise Server 5.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Multiple vulnerabilities has been discovered and corrected in gnupg:\r\n \r\n GnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with\r\n all bits cleared (no usage permitted) as if it has all bits set\r\n (all usage permitted), which might allow remote attackers to bypass\r\n intended cryptographic protection mechanisms by leveraging the subkey\r\n (CVE-2013-4351).\r\n \r\n Special crafted input data may be used to cause a denial of service\r\n against GPG. GPG can be forced to recursively parse certain parts of\r\n OpenPGP messages ad infinitum (CVE-2013-4402).\r\n \r\n The updated packages have been patched to correct this issue.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402\r\n http://advisories.mageia.org/MGASA-2013-0299.html\r\n http://advisories.mageia.org/MGASA-2013-0303.html\r\n http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00002.html\r\n http://lists.gnu.org/archive/html/info-gnu/2013-10/msg00003.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Enterprise Server 5:\r\n fbd115f23ec4f6a05582ae80e49e7645 mes5/i586/gnupg-1.4.9-5.3mdvmes5.2.i586.rpm\r\n 6acd4c8754851b6538b65b0e47b0b713 mes5/i586/gnupg2-2.0.9-3.3mdvmes5.2.i586.rpm \r\n 241f14f857ac10bcdb27d85dada891dd mes5/SRPMS/gnupg-1.4.9-5.3mdvmes5.2.src.rpm\r\n 57f10f15a3dabba96af7a0056536613b mes5/SRPMS/gnupg2-2.0.9-3.3mdvmes5.2.src.rpm\r\n\r\n Mandriva Enterprise Server 5/X86_64:\r\n 89b1885f005f3eaf6b0f9d11fb787554 mes5/x86_64/gnupg-1.4.9-5.3mdvmes5.2.x86_64.rpm\r\n e8066bcd0cfcab70000adc18598854f9 mes5/x86_64/gnupg2-2.0.9-3.3mdvmes5.2.x86_64.rpm \r\n 241f14f857ac10bcdb27d85dada891dd mes5/SRPMS/gnupg-1.4.9-5.3mdvmes5.2.src.rpm\r\n 57f10f15a3dabba96af7a0056536613b mes5/SRPMS/gnupg2-2.0.9-3.3mdvmes5.2.src.rpm\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 284ac6d2ad095ce979df482fa99d210a mbs1/x86_64/gnupg-1.4.12-3.2.mbs1.x86_64.rpm\r\n a118676f072c0a52988f2aeec6bf86af mbs1/x86_64/gnupg2-2.0.18-3.2.mbs1.x86_64.rpm \r\n 8e07611a9d7e2d7ab16d01a6a9d4090b mbs1/SRPMS/gnupg-1.4.12-3.2.mbs1.src.rpm\r\n db92e694092193f98dc2fd43fe6c3912 mbs1/SRPMS/gnupg2-2.0.18-3.2.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 (GNU/Linux)\r\n\r\niD8DBQFSVnYCmqjQ0CJFipgRArb0AKDO1x51xpdkXHmgOiOxjw6ei5SLAACZAVJZ\r\nDry2GuDwPgRZX3xGrxTWbFU=\r\n=s4km\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-10-12T00:00:00", "title": "[ MDVSA-2013:247 ] gnupg", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:49", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-12T00:00:00", "id": "SECURITYVULNS:DOC:29930", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29930", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:53", "references": ["https://vulners.com/securityvulns/securityvulns:doc:30127"], "description": "It's possible to resover sensitive information via acousitc emanations.", "edition": 1, "reporter": "BUGTRAQ", "published": "2013-12-23T00:00:00", "title": "GnuPG acoustic attack", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:53", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "GnuPG", "version": "1.4", "operator": "eq"}], "cvelist": ["CVE-2013-4576"], "modified": "2013-12-23T00:00:00", "id": "SECURITYVULNS:VULN:13461", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13461", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:50", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2059-1\r\nDecember 18, 2013\r\n\r\ngnupg vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 13.10\r\n- Ubuntu 13.04\r\n- Ubuntu 12.10\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nGnuPG could expose sensitive information when performing decryption.\r\n\r\nSoftware Description:\r\n- gnupg: GNU privacy guard - a free PGP replacement\r\n\r\nDetails:\r\n\r\nDaniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was\r\nsusceptible to an adaptive chosen ciphertext attack via acoustic\r\nemanations. A local attacker could use this attack to possibly recover\r\nprivate keys.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 13.10:\r\n gnupg 1.4.14-1ubuntu2.1\r\n\r\nUbuntu 13.04:\r\n gnupg 1.4.12-7ubuntu1.3\r\n\r\nUbuntu 12.10:\r\n gnupg 1.4.11-3ubuntu4.4\r\n\r\nUbuntu 12.04 LTS:\r\n gnupg 1.4.11-3ubuntu2.5\r\n\r\nUbuntu 10.04 LTS:\r\n gnupg 1.4.10-2ubuntu1.5\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2059-1\r\n CVE-2013-4576\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/gnupg/1.4.14-1ubuntu2.1\r\n https://launchpad.net/ubuntu/+source/gnupg/1.4.12-7ubuntu1.3\r\n https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu4.4\r\n https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu2.5\r\n https://launchpad.net/ubuntu/+source/gnupg/1.4.10-2ubuntu1.5\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-12-23T00:00:00", "title": "[USN-2059-1] GnuPG vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:50", "vector": "NONE", "value": 2.1}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4576"], "modified": "2013-12-23T00:00:00", "id": "SECURITYVULNS:DOC:30127", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30127", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:52", "references": ["https://vulners.com/securityvulns/securityvulns:doc:29699"], "description": "Private key recovery by using CPU L3 cache timings.", "edition": 1, "reporter": "BUGTRAQ", "published": "2013-08-12T00:00:00", "title": "gnupg / libcrypt RSA implementation flush+reload timing attack", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:52", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "GnuPG", "version": "1.4", "operator": "eq"}, {"name": "libcrypt", "version": "1.5", "operator": "eq"}], "cvelist": ["CVE-2013-4242"], "modified": "2013-08-12T00:00:00", "id": "SECURITYVULNS:VULN:13243", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13243", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:48", "references": [], "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[slackware-security] gnupg / libgcrypt (SSA:2013-215-01)\r\n\r\nNew gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0,\r\n13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error\r\npackages are also available for Slackware 13.1 and older as the supplied\r\nversion wasn't new enough to compile the fixed version of libgcrypt.\r\n\r\n\r\nHere are the details from the Slackware 14.0 ChangeLog:\r\n+--------------------------+\r\npatches/packages/gnupg-1.4.14-i486-1_slack14.0.txz: Upgraded.\r\n Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA\r\n secret keys.\r\n For more information, see:\r\n http://eprint.iacr.org/2013/448\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242\r\n (* Security fix *)\r\npatches/packages/libgcrypt-1.5.3-i486-1_slack14.0.txz: Upgraded.\r\n Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA\r\n secret keys.\r\n For more information, see:\r\n http://eprint.iacr.org/2013/448\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242\r\n (* Security fix *)\r\n+--------------------------+\r\n\r\n\r\nWhere to find the new packages:\r\n+-----------------------------+\r\n\r\nThanks to the friendly folks at the OSU Open Source Lab\r\n(http://osuosl.org) for donating FTP and rsync hosting\r\nto the Slackware project! \r\n\r\nAlso see the "Get Slack" section on http://slackware.com for\r\nadditional mirror sites near you.\r\n\r\nUpdated packages for Slackware 12.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packagess/gnupg-1.4.14-i486-1_slack12.1.tgz\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packagess/libgcrypt-1.5.3-i486-1_slack12.1.tgz\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packagess/libgpg-error-1.11-i486-1_slack12.1.tgz\r\n\r\nUpdated packages for Slackware 12.2:\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packagess/gnupg-1.4.14-i486-1_slack12.2.tgz\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packagess/libgcrypt-1.5.3-i486-1_slack12.2.tgz\r\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packagess/libgpg-error-1.11-i486-1_slack12.2.tgz\r\n\r\nUpdated packages for Slackware 13.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packagess/gnupg-1.4.14-i486-1_slack13.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packagess/libgcrypt-1.5.3-i486-1_slack13.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packagess/libgpg-error-1.11-i486-1_slack13.0.txz\r\n\r\nUpdated packages for Slackware x86_64 13.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packagess/gnupg-1.4.14-x86_64-1_slack13.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packagess/libgcrypt-1.5.3-x86_64-1_slack13.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packagess/libgpg-error-1.11-x86_64-1_slack13.0.txz\r\n\r\nUpdated packages for Slackware 13.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packagess/gnupg-1.4.14-i486-1_slack13.1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packagess/libgcrypt-1.5.3-i486-1_slack13.1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packagess/libgpg-error-1.11-i486-1_slack13.1.txz\r\n\r\nUpdated packages for Slackware x86_64 13.1:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packagess/gnupg-1.4.14-x86_64-1_slack13.1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packagess/libgcrypt-1.5.3-x86_64-1_slack13.1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packagess/libgpg-error-1.11-x86_64-1_slack13.1.txz\r\n\r\nUpdated packages for Slackware 13.37:\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packagess/gnupg-1.4.14-i486-1_slack13.37.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packagess/libgcrypt-1.5.3-i486-1_slack13.37.txz\r\n\r\nUpdated packages for Slackware x86_64 13.37:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packagess/gnupg-1.4.14-x86_64-1_slack13.37.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packagess/libgcrypt-1.5.3-x86_64-1_slack13.37.txz\r\n\r\nUpdated packages for Slackware 14.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packagess/gnupg-1.4.14-i486-1_slack14.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packagess/libgcrypt-1.5.3-i486-1_slack14.0.txz\r\n\r\nUpdated packages for Slackware x86_64 14.0:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packagess/gnupg-1.4.14-x86_64-1_slack14.0.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packagess/libgcrypt-1.5.3-x86_64-1_slack14.0.txz\r\n\r\nUpdated packages for Slackware -current:\r\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg-1.4.14-i486-1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/libgcrypt-1.5.3-i486-1.txz\r\n\r\nUpdated packages for Slackware x86_64 -current:\r\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg-1.4.14-x86_64-1.txz\r\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/libgcrypt-1.5.3-x86_64-1.txz\r\n\r\n\r\nMD5 signatures:\r\n+-------------+\r\n\r\nSlackware 12.1 packages:\r\nedfa6b7fd6406ed4abd81a1a9cd968a6 gnupg-1.4.14-i486-1_slack12.1.tgz\r\n6d50ecae51b1bb5e4901a93441c8d979 libgcrypt-1.5.3-i486-1_slack12.1.tgz\r\n012330680b03d757be4425c9ae536933 libgpg-error-1.11-i486-1_slack12.1.tgz\r\n\r\nSlackware 12.2 packages:\r\n64b7f7356246b46764079910885e91ea gnupg-1.4.14-i486-1_slack12.2.tgz\r\n0bf6ae65411c96d9bd8893cc1b41040a libgcrypt-1.5.3-i486-1_slack12.2.tgz\r\ne3669f73f15b88576cbb219ad2ca39a3 libgpg-error-1.11-i486-1_slack12.2.tgz\r\n\r\nSlackware 13.0 packages:\r\n93e89b3a685ce45179a4708158de6d63 gnupg-1.4.14-i486-1_slack13.0.txz\r\nc7f1d20e76c639d2e412254909130dd7 libgcrypt-1.5.3-i486-1_slack13.0.txz\r\n4f75e8be0543bfb9aa8067a2e4632b3f libgpg-error-1.11-i486-1_slack13.0.txz\r\n\r\nSlackware x86_64 13.0 packages:\r\nb1725df1cb6183c22a385e41d68099ed gnupg-1.4.14-x86_64-1_slack13.0.txz\r\n4b1ae976b6b855de8c320cdeba870b67 libgcrypt-1.5.3-x86_64-1_slack13.0.txz\r\n4c3f64870f18afdc2054cf5e47a5cbb4 libgpg-error-1.11-x86_64-1_slack13.0.txz\r\n\r\nSlackware 13.1 packages:\r\nb2f19bf31eab2d1e0ab32004f62baa20 gnupg-1.4.14-i486-1_slack13.1.txz\r\naec46a60340156b66d4aacf1cae150d7 libgcrypt-1.5.3-i486-1_slack13.1.txz\r\n6f939d0733758181bbd18863144d089c libgpg-error-1.11-i486-1_slack13.1.txz\r\n\r\nSlackware x86_64 13.1 packages:\r\nee43d4a0a3c84add3c7b0ee616bb97bb gnupg-1.4.14-x86_64-1_slack13.1.txz\r\n11621b833256b6e69f9f925572e2b652 libgcrypt-1.5.3-x86_64-1_slack13.1.txz\r\n835e0e7e05d6f70888927cdc8f7ba4c4 libgpg-error-1.11-x86_64-1_slack13.1.txz\r\n\r\nSlackware 13.37 packages:\r\n341734a954fcaaff59de62cb8fad8ba2 gnupg-1.4.14-i486-1_slack13.37.txz\r\nfb40f68f56ee0ae72c4b7ded47d39049 libgcrypt-1.5.3-i486-1_slack13.37.txz\r\n\r\nSlackware x86_64 13.37 packages:\r\ne437855c2593ea655c8a1999622f07d4 gnupg-1.4.14-x86_64-1_slack13.37.txz\r\n89b4e2fef96511e5cba56ab37d6b06d4 libgcrypt-1.5.3-x86_64-1_slack13.37.txz\r\n\r\nSlackware 14.0 packages:\r\nfa77aa1d0fd98071a59e2879477d9687 gnupg-1.4.14-i486-1_slack14.0.txz\r\n0f1b846d23f0d876a5f044e116d07f6d libgcrypt-1.5.3-i486-1_slack14.0.txz\r\n\r\nSlackware x86_64 14.0 packages:\r\n7046e1c0d35427659633d746b2c350af gnupg-1.4.14-x86_64-1_slack14.0.txz\r\n6381a6cfbe00c5450e0d92518bf41202 libgcrypt-1.5.3-x86_64-1_slack14.0.txz\r\n\r\nSlackware -current packages:\r\n2bebcc3164c45d8a68d24f5c807b15a2 n/gnupg-1.4.14-i486-1.txz\r\n67e7f7d3c3215c3da7860ed882cf9ce3 n/libgcrypt-1.5.3-i486-1.txz\r\n\r\nSlackware x86_64 -current packages:\r\na3423fe0d47ad239db726f83acfe1b0b n/gnupg-1.4.14-x86_64-1.txz\r\n0751449407fd5b87c6936f53ec154a79 n/libgcrypt-1.5.3-x86_64-1.txz\r\n\r\n\r\nInstallation instructions:\r\n+------------------------+\r\n\r\nUpgrade the packages as root:\r\n# upgradepkg gnupg-1.4.14-i486-1_slack14.0.txz libgcrypt-1.5.3-i486-1_slack14.0.txz\r\n\r\n\r\n+-----+\r\n\r\nSlackware Linux Security Team\r\nhttp://slackware.com/gpg-key\r\nsecurity@slackware.com\r\n\r\n+------------------------------------------------------------------------+\r\n| To leave the slackware-security mailing list: |\r\n+------------------------------------------------------------------------+\r\n| Send an email to majordomo@slackware.com with this text in the body of |\r\n| the email message: |\r\n| |\r\n| unsubscribe slackware-security |\r\n| |\r\n| You will get a confirmation message back containing instructions to |\r\n| complete the process. Please do not reply to this email address. |\r\n+------------------------------------------------------------------------+\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.14 (GNU/Linux)\r\n\r\niEYEARECAAYFAlH9cJMACgkQakRjwEAQIjMx2gCffL116ouqvw4B3y/gxf4chPyy\r\nQbIAni3WPHjkgLSfpGT/MBqabHEhB992\r\n=tJw3\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-08-12T00:00:00", "title": "[slackware-security] gnupg / libgcrypt (SSA:2013-215-01)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:48", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4242"], "modified": "2013-08-12T00:00:00", "id": "SECURITYVULNS:DOC:29699", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29699", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:57", "references": [], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities\r\n\r\nEMC Identifier: ESA-2015-002\r\n \t\r\nCVE Identifier: CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902, CVE-2012-5885, CVE-2011-3389, CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231, CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, CVE-2013-2634, CVE-2013-0268, CVE-2013-0913,CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798, CVE-2013-4242, CVE-2014-0138, CVE-2014-0139, CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2012-6085, CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, CVE-2014-2410 , CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, CVE-2014-0452, CVE-2010-5107, CVE-2014-1545, CVE-2014-1541, CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538, CVE-2013-2005, CVE-2013-2002, CVE-2014-0092, CVE-2014-0015, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244,\r\nCVE-2014-4216, CVE-2011-0020, CVE-2011-0064, CVE-2014-3638, CVE-2014-3639, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566, CVE-2014-4330, CVE-2014-3613, CVE-2014-3620, CVE-2015-0512\r\n\r\nSeverity Rating: View details below for CVSSv2 scores\r\n\r\nAffected products: \r\nUnisphere Central versions prior to 4.0\r\n\r\nSummary: \r\nUnisphere Central requires an update to address various security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.\r\n\r\nDetails: \r\nUnisphere Central requires an update to address various security vulnerabilities:\r\n\r\n1.\tUnvalidated Redirect Vulnerability (CVE-2015-0512)\r\n\r\nA potential vulnerability in Unisphere Central may allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. The attacker can specify the location of the arbitrary site in the unvalidated parameter of a crafted URL. If this URL is accessed, the browser is redirected to the arbitrary site specified in the parameter.\r\n\r\nCVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)\r\n\r\n2.\tMultiple Embedded Component Vulnerabilities\r\n\r\nThe following vulnerabilities affecting multiple embedded components were addressed:\r\n\r\n\u2022\tPostgreSQL (CVE-2013-1899, CVE-2013-1900, CVE-2013-1901, CVE-2013-1902)\r\n\u2022\tApache Tomcat HTTP Digest Access Bypass (CVE-2012-5885)\r\n\u2022\tSSL3.0/TLS1.0 Weak CBC Mode Vulnerability (CVE-2011-3389)\r\n\u2022\tSUSE Kernel Updates (CVE-2013-1767, CVE-2012-2137, CVE-2012-6548, CVE-2013-1797, CVE-2013-0231,CVE-2013-1774, CVE-2013-1848, CVE-2013-0311, CVE-2013-2634, CVE-2013-0268, CVE-2013-0913, CVE-2013-1772, CVE-2013-0216, CVE-2013-1792, CVE-2012-6549, CVE-2013-2635, CVE-2013-0914, CVE-2013-1796, CVE-2013-0160, CVE-2013-1860, CVE-2013-0349, CVE-2013-1798)\r\n\u2022\tLibgcrypt (CVE-2013-4242)\r\n\u2022\tcURL/libcURL Multiple Vulnerabilities (CVE-2014-0138, CVE-2014-0139, CVE-2014-0015, CVE-2014-3613, CVE-2014-3620)\r\n\u2022\tOpenSSL Multiple Vulnerabilities (CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3566)\r\n\u2022\tGNU Privacy Guard (GPG2) Update (CVE-2012-6085)\r\n\u2022\tJava Runtime Environment (CVE-2014-2403, CVE-2014-0446, CVE-2014-0457, CVE-2014-0453, CVE-2014-2412, CVE-2014-2398, CVE-2014-0458, CVE-2014-2397, CVE-2014-0460, CVE-2014-0429, CVE-2014-2428, CVE-2014-2423, CVE-2014-2420, CVE-2014-0448, CVE-2014-0459, CVE-2014-2427, CVE-2014-2414, CVE-2014-0461, CVE-2014-0454, CVE-2014-2422, CVE-2014-0464, CVE-2014-2401, CVE-2014-0456, CVE-2014-0455, CVE-2014-0451, CVE-2014-0449, CVE-2014-0432, CVE-2014-0463, CVE-2014-2410, CVE-2014-2413, CVE-2014-2421, CVE-2014-2409, CVE-2014-2402, CVE-2014-0452, CVE-2014-4220, CVE-2014-2490, CVE-2014-4266, CVE-2014-4219, CVE-2014-2483, CVE-2014-4263, CVE-2014-4264, CVE-2014-4268, CVE-2014-4252, CVE-2014-4223, CVE-2014-4247, CVE-2014-4218, CVE-2014-4221, CVE-2014-4262, CVE-2014-4227, CVE-2014-4208, CVE-2014-4209, CVE-2014-4265, CVE-2014-4244, CVE-2014-4216)\r\n\u2022\tOpenSSH Denial of Service (CVE-2010-5107)\r\n\u2022\tNetwork Security Services (NSS) Update (CVE-2014-1545, CVE-2014-1541, CVE-2014-1534, CVE-2014-1533, CVE-2014-1536, CVE-2014-1537, CVE-2014-1538)\r\n\u2022\t Xorg-X11 Update (CVE-2013-2005, CVE-2013-2002)\r\n\u2022\tGnuTLS SSL Verification Vulnerability (CVE-2014-0092)\r\n\u2022\tPango Security Update (CVE-2011-0020, CVE-2011-0064)\r\n\u2022\tD-Bus Denial of Service (CVE-2014-3638,CVE-2014-3639)\r\n\u2022\tPerl Denial of Service (CVE-2014-4330)\r\nCVSSv2 Base Score: Refer to NVD (http://nvd.nist.gov) for individual scores for each CVE listed above\r\n\r\nFor more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a particular CVE, use the NVD database\u2019s search utility at http://web.nvd.nist.gov/view/vuln/search\r\n\r\nResolution: \r\nThe following Unisphere Central release contains resolutions to the above issues:\r\n\u2022\tUnisphere Central version 4.0.\r\n\r\nEMC strongly recommends all customers upgrade at the earliest opportunity. Contact EMC Unisphere Central customer support to download the required upgrades. \r\n\r\nLink to remedies:\r\nRegistered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/products/28224_Unisphere-Central\r\n\r\n\r\nIf you have any questions, please contact EMC Support.\r\n\r\nRead and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. \r\n\r\n\r\nFor an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.\r\n\r\nEMC Product Security Response Center\r\nsecurity_alert@emc.com\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlTKSaIACgkQtjd2rKp+ALzINgCg01qlCrN0carogi8MwnbjGNrP\r\n6oIAnRiS6bIIqnGmGN0c+ayX74Qad4vY\r\n=5UIE\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-02-02T00:00:00", "title": "ESA-2015-002: Unisphere Central Security Update for Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:57", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-2635", "CVE-2014-1536", "CVE-2013-1797", "CVE-2014-4208", "CVE-2014-3508", "CVE-2014-4262", "CVE-2014-3566", "CVE-2014-2397", "CVE-2014-2490", "CVE-2013-1767", "CVE-2015-0512", "CVE-2012-6548", "CVE-2014-4263", "CVE-2014-0457", "CVE-2014-0455", "CVE-2014-0446", "CVE-2013-0268", "CVE-2013-0160", "CVE-2014-3613", "CVE-2014-4218", "CVE-2013-1848", "CVE-2014-1538", "CVE-2014-4221", "CVE-2014-2420", "CVE-2013-2005", "CVE-2014-3638", "CVE-2014-0458", "CVE-2014-2427", "CVE-2014-3507", "CVE-2013-1860", "CVE-2014-4268", "CVE-2014-1537", "CVE-2014-2413", "CVE-2014-0076", "CVE-2014-4265", "CVE-2014-3513", "CVE-2013-1792", "CVE-2013-4242", "CVE-2014-0454", "CVE-2014-0224", "CVE-2014-0453", "CVE-2014-0432", "CVE-2014-4266", "CVE-2012-2137", "CVE-2014-0461", "CVE-2014-3511", "CVE-2011-3389", "CVE-2014-0459", "CVE-2014-0456", "CVE-2014-4244", "CVE-2013-1772", "CVE-2014-1534", "CVE-2013-0349", "CVE-2014-0429", "CVE-2013-1774", "CVE-2014-0463", "CVE-2014-3470", "CVE-2014-3506", "CVE-2014-1545", "CVE-2013-0311", "CVE-2014-4209", "CVE-2014-0464", "CVE-2014-0139", "CVE-2014-0092", "CVE-2014-2403", "CVE-2011-0020", "CVE-2010-5107", "CVE-2014-0449", "CVE-2014-2412", "CVE-2014-2428", "CVE-2010-5298", "CVE-2013-0231", "CVE-2014-2421", "CVE-2014-0460", "CVE-2014-0448", "CVE-2014-0195", "CVE-2014-0198", "CVE-2014-4216", "CVE-2014-2401", "CVE-2014-3567", "CVE-2014-0015", "CVE-2014-3620", "CVE-2013-0913", "CVE-2014-4264", "CVE-2014-2422", "CVE-2014-4330", "CVE-2014-4220", "CVE-2012-6085", "CVE-2014-3512", "CVE-2013-2002", "CVE-2013-1901", "CVE-2014-3510", "CVE-2012-6549", "CVE-2014-2423", "CVE-2014-1541", "CVE-2014-2410", "CVE-2013-1902", "CVE-2013-0914", "CVE-2014-2483", "CVE-2013-2634", "CVE-2012-5885", "CVE-2014-3568", "CVE-2014-1533", "CVE-2014-4227", "CVE-2014-2409", "CVE-2014-4247", "CVE-2013-0216", "CVE-2014-4252", "CVE-2013-1796", "CVE-2014-0138", "CVE-2014-4219", "CVE-2013-1798", "CVE-2013-1900", "CVE-2014-2398", "CVE-2014-0451", "CVE-2014-0452", "CVE-2014-3509", "CVE-2014-5139", "CVE-2014-2414", "CVE-2014-4223", "CVE-2011-0064", "CVE-2013-1899", "CVE-2014-3639", "CVE-2014-0221", "CVE-2014-2402"], "modified": "2015-02-02T00:00:00", "id": "SECURITYVULNS:DOC:31682", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31682", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2016-09-28T21:04:11", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.15-1.21", "arch": "x86_64", "packageFilename": "gnupg-debuginfo-1.4.15-1.21.amzn1.x86_64", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.15-1.21", "arch": "i686", "packageFilename": "gnupg-debuginfo-1.4.15-1.21.amzn1.i686", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.15-1.21", "arch": "src", "packageFilename": "gnupg-1.4.15-1.21.amzn1.src", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.15-1.21", "arch": "x86_64", "packageFilename": "gnupg-1.4.15-1.21.amzn1.x86_64", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.15-1.21", "arch": "i686", "packageFilename": "gnupg-1.4.15-1.21.amzn1.i686", "packageName": "gnupg", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nGnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. \n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. \n\n \n**Affected Packages:** \n\n\ngnupg\n\n \n**Issue Correction:** \nRun _yum update gnupg_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n gnupg-1.4.15-1.21.amzn1.i686 \n gnupg-debuginfo-1.4.15-1.21.amzn1.i686 \n \n src: \n gnupg-1.4.15-1.21.amzn1.src \n \n x86_64: \n gnupg-1.4.15-1.21.amzn1.x86_64 \n gnupg-debuginfo-1.4.15-1.21.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2013-10-23T15:23:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "amazon", "title": "Medium: gnupg", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2014-09-16T21:46:00", "id": "ALAS-2013-236", "href": "https://alas.aws.amazon.com/ALAS-2013-236.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-28T21:04:03", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "i686", "packageFilename": "gnupg2-2.0.22-1.24.amzn1.i686", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "i686", "packageFilename": "gnupg2-debuginfo-2.0.22-1.24.amzn1.i686", "packageName": "gnupg2-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "x86_64", "packageFilename": "gnupg2-debuginfo-2.0.22-1.24.amzn1.x86_64", "packageName": "gnupg2-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "x86_64", "packageFilename": "gnupg2-2.0.22-1.24.amzn1.x86_64", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "x86_64", "packageFilename": "gnupg2-smime-2.0.22-1.24.amzn1.x86_64", "packageName": "gnupg2-smime", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "src", "packageFilename": "gnupg2-2.0.22-1.24.amzn1.src", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "2.0.22-1.24", "arch": "i686", "packageFilename": "gnupg2-smime-2.0.22-1.24.amzn1.i686", "packageName": "gnupg2-smime", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nGnuPG 1.4.x, 2.0.x, and 2.1.x treats a key flags subpacket with all bits cleared (no usage permitted) as if it has all bits set (all usage permitted), which might allow remote attackers to bypass intended cryptographic protection mechanisms by leveraging the subkey. \n\nThe compressed packet parser in GnuPG 1.4.x before 1.4.15 and 2.0.x before 2.0.22 allows remote attackers to cause a denial of service (infinite recursion) via a crafted OpenPGP message. \n\n \n**Affected Packages:** \n\n\ngnupg2\n\n \n**Issue Correction:** \nRun _yum update gnupg2_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n gnupg2-debuginfo-2.0.22-1.24.amzn1.i686 \n gnupg2-smime-2.0.22-1.24.amzn1.i686 \n gnupg2-2.0.22-1.24.amzn1.i686 \n \n src: \n gnupg2-2.0.22-1.24.amzn1.src \n \n x86_64: \n gnupg2-2.0.22-1.24.amzn1.x86_64 \n gnupg2-smime-2.0.22-1.24.amzn1.x86_64 \n gnupg2-debuginfo-2.0.22-1.24.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2013-10-23T15:24:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "amazon", "title": "Medium: gnupg2", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2014-09-16T21:46:00", "id": "ALAS-2013-237", "href": "https://alas.aws.amazon.com/ALAS-2013-237.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-28T21:04:09", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "i686", "packageFilename": "libgcrypt-1.4.5-9.12.amzn1.i686", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "x86_64", "packageFilename": "libgcrypt-debuginfo-1.4.5-9.12.amzn1.x86_64", "packageName": "libgcrypt-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "x86_64", "packageFilename": "libgcrypt-1.4.5-9.12.amzn1.x86_64", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "i686", "packageFilename": "libgcrypt-debuginfo-1.4.5-9.12.amzn1.i686", "packageName": "libgcrypt-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "i686", "packageFilename": "libgcrypt-devel-1.4.5-9.12.amzn1.i686", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "src", "packageFilename": "libgcrypt-1.4.5-9.12.amzn1.src", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.5-9.12", "arch": "x86_64", "packageFilename": "libgcrypt-devel-1.4.5-9.12.amzn1.x86_64", "packageName": "libgcrypt-devel", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nGnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. \n\n \n**Affected Packages:** \n\n\nlibgcrypt\n\n \n**Issue Correction:** \nRun _yum update libgcrypt_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n libgcrypt-debuginfo-1.4.5-9.12.amzn1.i686 \n libgcrypt-devel-1.4.5-9.12.amzn1.i686 \n libgcrypt-1.4.5-9.12.amzn1.i686 \n \n src: \n libgcrypt-1.4.5-9.12.amzn1.src \n \n x86_64: \n libgcrypt-debuginfo-1.4.5-9.12.amzn1.x86_64 \n libgcrypt-1.4.5-9.12.amzn1.x86_64 \n libgcrypt-devel-1.4.5-9.12.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2013-09-19T15:49:00", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "amazon", "title": "Medium: libgcrypt", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2014-09-16T21:38:00", "id": "ALAS-2013-226", "href": "https://alas.aws.amazon.com/ALAS-2013-226.html", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-28T21:04:11", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.14-1.20", "arch": "i686", "packageFilename": "gnupg-1.4.14-1.20.amzn1.i686", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.14-1.20", "arch": "i686", "packageFilename": "gnupg-debuginfo-1.4.14-1.20.amzn1.i686", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.14-1.20", "arch": "x86_64", "packageFilename": "gnupg-1.4.14-1.20.amzn1.x86_64", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.14-1.20", "arch": "x86_64", "packageFilename": "gnupg-debuginfo-1.4.14-1.20.amzn1.x86_64", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.14-1.20", "arch": "src", "packageFilename": "gnupg-1.4.14-1.20.amzn1.src", "packageName": "gnupg", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nGnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. \n\n \n**Affected Packages:** \n\n\ngnupg\n\n \n**Issue Correction:** \nRun _yum update gnupg_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n gnupg-debuginfo-1.4.14-1.20.amzn1.i686 \n gnupg-1.4.14-1.20.amzn1.i686 \n \n src: \n gnupg-1.4.14-1.20.amzn1.src \n \n x86_64: \n gnupg-1.4.14-1.20.amzn1.x86_64 \n gnupg-debuginfo-1.4.14-1.20.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2013-09-19T15:29:00", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "amazon", "title": "Medium: gnupg", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2014-09-15T23:24:00", "id": "ALAS-2013-225", "href": "https://alas.aws.amazon.com/ALAS-2013-225.html", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-28T21:04:02", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.16-2.23", "arch": "i686", "packageFilename": "gnupg-debuginfo-1.4.16-2.23.amzn1.i686", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.16-2.23", "arch": "x86_64", "packageFilename": "gnupg-debuginfo-1.4.16-2.23.amzn1.x86_64", "packageName": "gnupg-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.16-2.23", "arch": "src", "packageFilename": "gnupg-1.4.16-2.23.amzn1.src", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.16-2.23", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-2.23.amzn1.x86_64", "packageName": "gnupg", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.4.16-2.23", "arch": "i686", "packageFilename": "gnupg-1.4.16-2.23.amzn1.i686", "packageName": "gnupg", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nGnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.\n\n \n**Affected Packages:** \n\n\ngnupg\n\n \n**Issue Correction:** \nRun _yum update gnupg_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n gnupg-1.4.16-2.23.amzn1.i686 \n gnupg-debuginfo-1.4.16-2.23.amzn1.i686 \n \n src: \n gnupg-1.4.16-2.23.amzn1.src \n \n x86_64: \n gnupg-debuginfo-1.4.16-2.23.amzn1.x86_64 \n gnupg-1.4.16-2.23.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2014-01-14T16:18:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "amazon", "title": "Medium: gnupg", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2014-09-16T22:19:00", "id": "ALAS-2014-278", "href": "https://alas.aws.amazon.com/ALAS-2014-278.html", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-28T21:04:05", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "i686", "packageFilename": "libgcrypt-devel-1.5.3-12.18.amzn1.i686", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "src", "packageFilename": "libgcrypt-1.5.3-12.18.amzn1.src", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "x86_64", "packageFilename": "libgcrypt-1.5.3-12.18.amzn1.x86_64", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "i686", "packageFilename": "libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686", "packageName": "libgcrypt-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "x86_64", "packageFilename": "libgcrypt-devel-1.5.3-12.18.amzn1.x86_64", "packageName": "libgcrypt-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "x86_64", "packageFilename": "libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64", "packageName": "libgcrypt-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.5.3-12.18", "arch": "i686", "packageFilename": "libgcrypt-1.5.3-12.18.amzn1.i686", "packageName": "libgcrypt", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nFix a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak. ([CVE-2015-0837 __](<https://access.redhat.com/security/cve/CVE-2015-0837>))\n\nFix a side-channel attack which can potentially lead to an information leak. ([CVE-2014-3591 __](<https://access.redhat.com/security/cve/CVE-2014-3591>))\n\nLibgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than [CVE-2013-4576 __](<https://access.redhat.com/security/cve/CVE-2013-4576>), which was fixed in [ALAS-2014-278](<https://alas.aws.amazon.com/ALAS-2014-278.html>). ([CVE-2014-5270 __](<https://access.redhat.com/security/cve/CVE-2014-5270>))\n\n \n**Affected Packages:** \n\n\nlibgcrypt\n\n \n**Issue Correction:** \nRun _yum update libgcrypt_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686 \n libgcrypt-devel-1.5.3-12.18.amzn1.i686 \n libgcrypt-1.5.3-12.18.amzn1.i686 \n \n src: \n libgcrypt-1.5.3-12.18.amzn1.src \n \n x86_64: \n libgcrypt-devel-1.5.3-12.18.amzn1.x86_64 \n libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64 \n libgcrypt-1.5.3-12.18.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2015-08-04T17:43:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "amazon", "title": "Medium: libgcrypt", "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576", "CVE-2014-5270", "CVE-2015-0837", "CVE-2014-3591"], "modified": "2015-08-04T17:55:00", "id": "ALAS-2015-577", "href": "https://alas.aws.amazon.com/ALAS-2015-577.html", "cvss": {"score": 2.6, "vector": "AV:LOCAL/AC:HIGH/Au:NONE/C:LOW/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:24", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4402", "https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4351"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "2.0.14-1ubuntu1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.4.11-3ubuntu2.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.4.10-2ubuntu1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.4.11-3ubuntu4.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "2.0.17-2ubuntu3.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "2.0.19-2ubuntu1.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "1.4.12-7ubuntu1.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "2.0.17-2ubuntu2.12.04.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg2", "operator": "lt"}], "description": "Daniel Kahn Gillmor discovered that GnuPG treated keys with empty usage flags as being valid for all usages. (CVE-2013-4351)\n\nTaylor R Campbell discovered that GnuPG incorrectly handled certain OpenPGP messages. If a user or automated system were tricked into processing a specially-crafted message, GnuPG could consume resources, resulting in a denial of service. (CVE-2013-4402)", "edition": 3, "reporter": "Ubuntu", "published": "2013-10-09T00:00:00", "title": "GnuPG vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402", "CVE-2013-4351"], "modified": "2013-10-09T00:00:00", "id": "USN-1987-1", "href": "https://usn.ubuntu.com/1987-1/", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T00:10:09", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4576"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.4.11-3ubuntu2.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.4.11-3ubuntu4.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "1.4.14-1ubuntu2.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.4.10-2ubuntu1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "1.4.12-7ubuntu1.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}], "description": "Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via acoustic emanations. A local attacker could use this attack to possibly recover private keys.", "edition": 3, "reporter": "Ubuntu", "published": "2013-12-18T00:00:00", "title": "GnuPG vulnerability", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2013-12-18T00:00:00", "id": "USN-2059-1", "href": "https://usn.ubuntu.com/2059-1/", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T00:08:32", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4242"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.4.4-5ubuntu2.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libgcrypt11", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1.4.10-2ubuntu1.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "1.4.12-7ubuntu1.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.4.11-3ubuntu4.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.5.0-3ubuntu0.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libgcrypt11", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.4.11-3ubuntu2.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "1.5.0-3ubuntu1.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libgcrypt11", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "1.5.0-3ubuntu2.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libgcrypt11", "operator": "lt"}], "description": "Yuval Yarom and Katrina Falkner discovered a timing-based information leak, known as Flush+Reload, that could be used to trace execution in programs. GnuPG and Libgcrypt followed different execution paths based on key-related data, which could be used to expose the contents of private keys.", "edition": 3, "reporter": "Ubuntu", "published": "2013-08-01T00:00:00", "title": "GnuPG, Libgcrypt vulnerability", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-08-01T00:00:00", "id": "USN-1923-1", "href": "https://usn.ubuntu.com/1923-1/", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cert": [{"lastseen": "2018-08-31T02:38:01", "references": ["http://www.gnupg.org/download/index.en.html#libgcrypt", "http://eprint.iacr.org/2013/448.pdf", "http://eprint.iacr.org/2013/448.pdf", "http://cwe.mitre.org/data/definitions/200.html", "http://cwe.mitre.org/data/definitions/200.html", "http://www.gnupg.org/download/index.en.html", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4242", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html"], "description": "### Overview\n\nL3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack, resulting in information leakage. allowing a local attacker to derive the contents of memory not belonging to the attacker.\n\n### Description\n\nCommon L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack, as described in \"[Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack](<http://eprint.iacr.org/2013/448.pdf>)\" by Yarom and Falkner. \n\nBy manipulating memory stored in the L3 cache by a target process and observing timing differences between requests for cached and non-cached memory, an attacker can derive specific information about the target process. The paper demonstrates an attack against GnuPG on an Intel Ivy Bridge platform that recovers over 98% of the bits of an RSA private key. \n \nThis vulnerability is an example of [CWE-200](<http://cwe.mitre.org/data/definitions/200.html>): Information Exposure. \n \n--- \n \n### Impact\n\nA local attacker can derive the contents of memory shared with another process on the same L3 cache (same physical CPU). Virtualization and cryptographic software are examples that are likely to be vulnerable. \n \nAn attacker on the same host operating system only needs read access to the executable file or a shared library component of the target process. \n \nAn attacker on a different virtual machine similarly needs access to an exact copy of the executable or shared library used by the target process, and the hypervisor needs to have memory page de-duplication enabled. \n \n--- \n \n### Solution\n\n**Apply an Update** \nSee the Vendor Information section below for additional information. \n \nGnuPG has released [GnuPG version 1.4.14](<http://www.gnupg.org/download/index.en.html>) and [Libgcrypt 1.5.3](<http://www.gnupg.org/download/index.en.html#libgcrypt>) to to address this vulnerability. CVE-2013-4242 has been assigned to the specific GnuPG vulnerability described in the Yarom/Falkner paper. The CVSS score below applies specifically to CVE-2013-4242. \n \n--- \n \n**Disable Memory Page De-duplication** \n \nTo prevent this attack on virtualization platforms, disable hypervisor memory page de-duplication. \n \n--- \n \n### Vendor Information \n\nAny shared cache architecture may be susceptible to side-channel or timing attacks. CPU vendors are listed as \"Not Affected\" since the cache architecture is functioning as designed. It is generally up to an operating system or application to take appropriate measures to protect sensitive information. \n \n--- \nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nlibgcrypt| | 16 Aug 2013| 16 Aug 2013 \nLinux KVM| | 15 Aug 2013| 16 Aug 2013 \nRed Hat, Inc.| | 13 Sep 2013| 13 Sep 2013 \nVMware| | 16 Aug 2013| 03 Sep 2013 \nXen| | 16 Aug 2013| 03 Sep 2013 \nAMD| | 16 Aug 2013| 29 Oct 2013 \nCryptlib| | 16 Aug 2013| 03 Sep 2013 \nGnuTLS| | 16 Aug 2013| 03 Sep 2013 \nIntel Corporation| | 16 Aug 2013| 03 Sep 2013 \nOpenSSL| | 16 Aug 2013| 03 Sep 2013 \nAmazon| | 16 Aug 2013| 03 Sep 2013 \nAttachmate| | 16 Aug 2013| 03 Sep 2013 \nCerticom| | 16 Aug 2013| 16 Aug 2013 \nCrypto++ Library| | 16 Aug 2013| 16 Aug 2013 \nEMC Corporation| | 16 Aug 2013| 16 Aug 2013 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23976534 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 2.4 | AV:L/AC:H/Au:S/C:P/I:P/A:N \nTemporal | 1.9 | E:POC/RL:OF/RC:C \nEnvironmental | 2.3 | CDP:ND/TD:M/CR:H/IR:H/AR:ND \n \n### References\n\n * <http://eprint.iacr.org/2013/448.pdf>\n * <http://cwe.mitre.org/data/definitions/200.html>\n * <http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html>\n * <http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html>\n\n### Credit\n\nThanks to Yuval Yarom and Katrina Falkner for reporting this vulnerability and for help writing this document.\n\nThis document was written by Adam Rauf.\n\n### Other Information\n\n * CVE IDs: [CVE-2013-4242](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4242>)\n * Date Public: 05 Sep 2013\n * Date First Published: 01 Oct 2013\n * Date Last Updated: 01 Nov 2013\n * Document Revision: 39\n\n", "edition": 3, "reporter": "CERT", "published": "2013-10-01T00:00:00", "title": "L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "info", "cvelist": ["CVE-2013-4242", "CVE-2013-4242", "CVE-2013-4242", "CVE-2013-4242"], "modified": "2013-11-01T00:00:00", "id": "VU:976534", "href": "https://www.kb.cert.org/vuls/id/976534", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "slackware": [{"lastseen": "2018-08-31T02:36:50", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack12.1.tgz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.15", "arch": "x86_64", "packageFilename": "gnupg-1.4.15-x86_64-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "1.4.15", "arch": "i486", "packageFilename": "gnupg-1.4.15-i486-1_slack12.2.tgz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.15", "arch": "x86_64", "packageFilename": "gnupg-1.4.15-x86_64-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.15", "arch": "x86_64", "packageFilename": "gnupg-1.4.15-x86_64-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.15", "arch": "x86_64", "packageFilename": "gnupg-1.4.15-x86_64-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}], "description": "New gnupg packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37,\n14.0, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/gnupg-1.4.15-i486-1_slack14.0.txz: Upgraded.\n Fixed possible infinite recursion in the compressed packet\n parser. [CVE-2013-4402]\n Protect against rogue keyservers sending secret keys.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/gnupg-1.4.15-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/gnupg-1.4.15-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnupg-1.4.15-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnupg-1.4.15-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnupg-1.4.15-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnupg-1.4.15-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg-1.4.15-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg-1.4.15-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg-1.4.15-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg-1.4.15-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg-1.4.15-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg-1.4.15-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.1 package:\n87cb6a460733cbd145767e2c3452b227 gnupg-1.4.15-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n49083b551dae4b6f4e11ef8194c565aa gnupg-1.4.15-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\nf0cf6a234c3fcdb3cc1d7583a6e922f1 gnupg-1.4.15-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ne8a48beb5c68d49889771f8fe7ff4e6f gnupg-1.4.15-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n1678dbd3d89356b32d62ce4dd6ea84cd gnupg-1.4.15-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\naf8dee6b58d88a6d95f710255f5f8a90 gnupg-1.4.15-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nae91e336fa82263647da46bc039346bc gnupg-1.4.15-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nf577a4b5ab805be99acf344e67ebd919 gnupg-1.4.15-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n3c1183cd80d74353f2ea6789dba8fa32 gnupg-1.4.15-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ndb3aecec58e254058727e17b0c358766 gnupg-1.4.15-x86_64-1_slack14.0.txz\n\nSlackware -current package:\nf5c0bf28ae06d7828c1ac37b0852aedc n/gnupg-1.4.15-i486-1.txz\n\nSlackware x86_64 -current package:\n2a3d878358783284312b2022c394dcdf n/gnupg-1.4.15-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg gnupg-1.4.15-i486-1_slack14.0.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2013-10-14T17:17:55", "title": "gnupg", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402"], "modified": "2013-10-14T17:17:55", "id": "SSA-2013-287-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.501153", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:36:45", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "2.0.22", "arch": "x86_64", "packageFilename": "gnupg2-2.0.22-x86_64-1_slack13.37.txz", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "2.0.22", "arch": "i486", "packageFilename": "gnupg2-2.0.22-i486-1_slack14.0.txz", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "2.0.22", "arch": "i486", "packageFilename": "gnupg2-2.0.22-i486-1_slack13.37.txz", "packageName": "gnupg2", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "2.0.22", "arch": "x86_64", "packageFilename": "gnupg2-2.0.22-x86_64-1_slack14.0.txz", "packageName": "gnupg2", "operator": "lt"}], "description": "New gnupg2 packages are available for Slackware 13.37, 14.0, and -current to\nfix security issues.\n\nThese packages will require the updated libgpg-error package.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/gnupg2-2.0.22-i486-1_slack14.0.txz: Upgraded.\n Fixed possible infinite recursion in the compressed packet\n parser. [CVE-2013-4402]\n Protect against rogue keyservers sending secret keys.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4402\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg2-2.0.22-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg2-2.0.22-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg2-2.0.22-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg2-2.0.22-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg2-2.0.22-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg2-2.0.22-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.37 package:\n2194f25dba02397b2323fa1d3c9c15ea gnupg2-2.0.22-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n7565e99bdd15bdd86097938c979f8b6b gnupg2-2.0.22-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\na9080b0567a8f98ae1189bdbf8c88aad gnupg2-2.0.22-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n5ac9c035acafa7b339d887bc67a96d89 gnupg2-2.0.22-x86_64-1_slack14.0.txz\n\nSlackware -current package:\n03ce9cfc9d2c8cc763a60e78f1788698 n/gnupg2-2.0.22-i486-1.txz\n\nSlackware x86_64 -current package:\n9f82aafc690fae866d71734ff4bb377f n/gnupg2-2.0.22-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg gnupg2-2.0.22-i486-1_slack14.0.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2013-10-14T17:18:13", "title": "gnupg2", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402"], "modified": "2013-10-14T17:18:13", "id": "SSA-2013-287-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.392546", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T02:37:08", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.11", "arch": "x86_64", "packageFilename": "libgpg-error-1.11-x86_64-1_slack13.1.txz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "1.11", "arch": "i486", "packageFilename": "libgpg-error-1.11-i486-1_slack12.2.tgz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.5.3", "arch": "x86_64", "packageFilename": "libgcrypt-1.5.3-x86_64-1_slack13.37.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack14.0.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.14", "arch": "x86_64", "packageFilename": "gnupg-1.4.14-x86_64-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack13.37.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack12.2.tgz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "1.11", "arch": "i486", "packageFilename": "libgpg-error-1.11-i486-1_slack12.1.tgz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack12.1.tgz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.5.3", "arch": "x86_64", "packageFilename": "libgcrypt-1.5.3-x86_64-1_slack13.1.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack12.1.tgz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack12.2.tgz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack13.1.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.11", "arch": "x86_64", "packageFilename": "libgpg-error-1.11-x86_64-1_slack13.0.txz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.14", "arch": "x86_64", "packageFilename": "gnupg-1.4.14-x86_64-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.5.3", "arch": "i486", "packageFilename": "libgcrypt-1.5.3-i486-1_slack13.0.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.14", "arch": "x86_64", "packageFilename": "gnupg-1.4.14-x86_64-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.5.3", "arch": "x86_64", "packageFilename": "libgcrypt-1.5.3-x86_64-1_slack14.0.txz", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.14", "arch": "x86_64", "packageFilename": "gnupg-1.4.14-x86_64-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.11", "arch": "i486", "packageFilename": "libgpg-error-1.11-i486-1_slack13.0.txz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.11", "arch": "i486", "packageFilename": "libgpg-error-1.11-i486-1_slack13.1.txz", "packageName": "libgpg-error", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.14", "arch": "i486", "packageFilename": "gnupg-1.4.14-i486-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.5.3", "arch": "x86_64", "packageFilename": "libgcrypt-1.5.3-x86_64-1_slack13.0.txz", "packageName": "libgcrypt", "operator": "lt"}], "description": "New gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0,\n13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error\npackages are also available for Slackware 13.1 and older as the supplied\nversion wasn't new enough to compile the fixed version of libgcrypt.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/gnupg-1.4.14-i486-1_slack14.0.txz: Upgraded.\n Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA\n secret keys.\n For more information, see:\n http://eprint.iacr.org/2013/448\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242\n (* Security fix *)\npatches/packages/libgcrypt-1.5.3-i486-1_slack14.0.txz: Upgraded.\n Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA\n secret keys.\n For more information, see:\n http://eprint.iacr.org/2013/448\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/gnupg-1.4.14-i486-1_slack12.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/libgcrypt-1.5.3-i486-1_slack12.1.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/libgpg-error-1.11-i486-1_slack12.1.tgz\n\nUpdated packages for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/gnupg-1.4.14-i486-1_slack12.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/libgcrypt-1.5.3-i486-1_slack12.2.tgz\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/libgpg-error-1.11-i486-1_slack12.2.tgz\n\nUpdated packages for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnupg-1.4.14-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libgcrypt-1.5.3-i486-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libgpg-error-1.11-i486-1_slack13.0.txz\n\nUpdated packages for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnupg-1.4.14-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libgcrypt-1.5.3-x86_64-1_slack13.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libgpg-error-1.11-x86_64-1_slack13.0.txz\n\nUpdated packages for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnupg-1.4.14-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libgcrypt-1.5.3-i486-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libgpg-error-1.11-i486-1_slack13.1.txz\n\nUpdated packages for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnupg-1.4.14-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libgcrypt-1.5.3-x86_64-1_slack13.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libgpg-error-1.11-x86_64-1_slack13.1.txz\n\nUpdated packages for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg-1.4.14-i486-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libgcrypt-1.5.3-i486-1_slack13.37.txz\n\nUpdated packages for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg-1.4.14-x86_64-1_slack13.37.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libgcrypt-1.5.3-x86_64-1_slack13.37.txz\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg-1.4.14-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libgcrypt-1.5.3-i486-1_slack14.0.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg-1.4.14-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libgcrypt-1.5.3-x86_64-1_slack14.0.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg-1.4.14-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/libgcrypt-1.5.3-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg-1.4.14-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/libgcrypt-1.5.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.1 packages:\nedfa6b7fd6406ed4abd81a1a9cd968a6 gnupg-1.4.14-i486-1_slack12.1.tgz\n6d50ecae51b1bb5e4901a93441c8d979 libgcrypt-1.5.3-i486-1_slack12.1.tgz\n012330680b03d757be4425c9ae536933 libgpg-error-1.11-i486-1_slack12.1.tgz\n\nSlackware 12.2 packages:\n64b7f7356246b46764079910885e91ea gnupg-1.4.14-i486-1_slack12.2.tgz\n0bf6ae65411c96d9bd8893cc1b41040a libgcrypt-1.5.3-i486-1_slack12.2.tgz\ne3669f73f15b88576cbb219ad2ca39a3 libgpg-error-1.11-i486-1_slack12.2.tgz\n\nSlackware 13.0 packages:\n93e89b3a685ce45179a4708158de6d63 gnupg-1.4.14-i486-1_slack13.0.txz\nc7f1d20e76c639d2e412254909130dd7 libgcrypt-1.5.3-i486-1_slack13.0.txz\n4f75e8be0543bfb9aa8067a2e4632b3f libgpg-error-1.11-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 packages:\nb1725df1cb6183c22a385e41d68099ed gnupg-1.4.14-x86_64-1_slack13.0.txz\n4b1ae976b6b855de8c320cdeba870b67 libgcrypt-1.5.3-x86_64-1_slack13.0.txz\n4c3f64870f18afdc2054cf5e47a5cbb4 libgpg-error-1.11-x86_64-1_slack13.0.txz\n\nSlackware 13.1 packages:\nb2f19bf31eab2d1e0ab32004f62baa20 gnupg-1.4.14-i486-1_slack13.1.txz\naec46a60340156b66d4aacf1cae150d7 libgcrypt-1.5.3-i486-1_slack13.1.txz\n6f939d0733758181bbd18863144d089c libgpg-error-1.11-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 packages:\nee43d4a0a3c84add3c7b0ee616bb97bb gnupg-1.4.14-x86_64-1_slack13.1.txz\n11621b833256b6e69f9f925572e2b652 libgcrypt-1.5.3-x86_64-1_slack13.1.txz\n835e0e7e05d6f70888927cdc8f7ba4c4 libgpg-error-1.11-x86_64-1_slack13.1.txz\n\nSlackware 13.37 packages:\n341734a954fcaaff59de62cb8fad8ba2 gnupg-1.4.14-i486-1_slack13.37.txz\nfb40f68f56ee0ae72c4b7ded47d39049 libgcrypt-1.5.3-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 packages:\ne437855c2593ea655c8a1999622f07d4 gnupg-1.4.14-x86_64-1_slack13.37.txz\n89b4e2fef96511e5cba56ab37d6b06d4 libgcrypt-1.5.3-x86_64-1_slack13.37.txz\n\nSlackware 14.0 packages:\nfa77aa1d0fd98071a59e2879477d9687 gnupg-1.4.14-i486-1_slack14.0.txz\n0f1b846d23f0d876a5f044e116d07f6d libgcrypt-1.5.3-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 packages:\n7046e1c0d35427659633d746b2c350af gnupg-1.4.14-x86_64-1_slack14.0.txz\n6381a6cfbe00c5450e0d92518bf41202 libgcrypt-1.5.3-x86_64-1_slack14.0.txz\n\nSlackware -current packages:\n2bebcc3164c45d8a68d24f5c807b15a2 n/gnupg-1.4.14-i486-1.txz\n67e7f7d3c3215c3da7860ed882cf9ce3 n/libgcrypt-1.5.3-i486-1.txz\n\nSlackware x86_64 -current packages:\na3423fe0d47ad239db726f83acfe1b0b n/gnupg-1.4.14-x86_64-1.txz\n0751449407fd5b87c6936f53ec154a79 n/libgcrypt-1.5.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg gnupg-1.4.14-i486-1_slack14.0.txz libgcrypt-1.5.3-i486-1_slack14.0.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2013-08-03T15:26:17", "title": "gnupg / libgcrypt", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-08-03T15:26:17", "id": "SSA-2013-215-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.812049", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T02:37:07", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.16", "arch": "i486", "packageFilename": "gnupg-1.4.16-i486-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.16", "arch": "i486", "packageFilename": "gnupg-1.4.16-i486-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.16", "arch": "i486", "packageFilename": "gnupg-1.4.16-i486-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.16", "arch": "i486", "packageFilename": "gnupg-1.4.16-i486-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.4.16", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-x86_64-1_slack14.0.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "1.4.16", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-x86_64-1_slack13.37.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.4.16", "arch": "i486", "packageFilename": "gnupg-1.4.16-i486-1_slack14.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.4.16", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-x86_64-1_slack14.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "1.4.16", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-x86_64-1_slack13.1.txz", "packageName": "gnupg", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "1.4.16", "arch": "x86_64", "packageFilename": "gnupg-1.4.16-x86_64-1_slack13.0.txz", "packageName": "gnupg", "operator": "lt"}], "description": "New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/gnupg-1.4.16-i486-1_slack14.1.txz: Upgraded.\n Fixed the RSA Key Extraction via Low-Bandwidth Acoustic\n Cryptanalysis attack as described by Genkin, Shamir, and Tromer.\n For more information, see:\n http://www.cs.tau.ac.il/~tromer/acoustic/\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/gnupg-1.4.16-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/gnupg-1.4.16-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/gnupg-1.4.16-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/gnupg-1.4.16-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gnupg-1.4.16-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gnupg-1.4.16-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gnupg-1.4.16-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gnupg-1.4.16-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gnupg-1.4.16-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gnupg-1.4.16-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/gnupg-1.4.16-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/gnupg-1.4.16-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n1b19a956ada33e1ac5ade0b4e6586d92 gnupg-1.4.16-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\nd8b88c599806ab6f006bba9f7fd58d50 gnupg-1.4.16-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n1a5e2df9356d37c68ff2029545d8a981 gnupg-1.4.16-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n4baf7f1d0f62dcb4e9e1d3dbfbb87cdd gnupg-1.4.16-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n205c28267d67a88751d86b97e66cebe4 gnupg-1.4.16-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n69ada153c418f43b4ad38782c79d8e3e gnupg-1.4.16-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nd2df6ff62d18880ff9f847caa84610a7 gnupg-1.4.16-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nab2ade7b21df6af575fea32d7391517f gnupg-1.4.16-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n95ef3d7c28a0516654037dec7945c180 gnupg-1.4.16-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nfc8f60b3d5f258a6f2fb66a66db60929 gnupg-1.4.16-x86_64-1_slack14.1.txz\n\nSlackware -current package:\ne2469fb2ba22ceb9e52d76831aa1b8e1 n/gnupg-1.4.16-i486-1.txz\n\nSlackware x86_64 -current package:\nf959c0f9009a26abc5294107bf8b188a n/gnupg-1.4.16-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg gnupg-1.4.16-i486-1_slack14.1.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2013-12-21T11:34:33", "title": "gnupg", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2013-12-21T11:34:33", "id": "SSA-2013-354-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.504012", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:54", "references": [], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.15", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}], "description": "\nWerner Koch reports:\n\nSpecial crafted input data may be used to cause a denial of service\nagainst GPG (GnuPG's OpenPGP part) and some other OpenPGP\nimplementations. All systems using GPG to process incoming data are\naffected..\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2013-10-05T00:00:00", "title": "gnupg -- possible infinite recursion in the compressed packet parser", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4402"], "modified": "2013-10-05T00:00:00", "id": "749B5587-2DA1-11E3-B1A9-B499BAAB0CBE", "href": "https://vuxml.freebsd.org/freebsd/749b5587-2da1-11e3-b1a9-b499baab0cbe.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:14:52", "references": ["http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.16", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg1", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.4.16", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gnupg", "operator": "lt"}], "description": "\nWerner Koch reports:\n\nCVE-2013-4576 has been assigned to this security bug.\nThe paper describes two attacks. The first attack allows\n\t to distinguish keys: An attacker is able to notice which key is\n\t currently used for decryption. This is in general not a problem but\n\t may be used to reveal the information that a message, encrypted to a\n\t commonly not used key, has been received by the targeted machine. We\n\t do not have a software solution to mitigate this attack.\nThe second attack is more serious. It is an adaptive\n\t chosen ciphertext attack to reveal the private key. A possible\n\t scenario is that the attacker places a sensor (for example a standard\n\t smartphone) in the vicinity of the targeted machine. That machine is\n\t assumed to do unattended RSA decryption of received mails, for example\n\t by using a mail client which speeds up browsing by opportunistically\n\t decrypting mails expected to be read soon. While listening to the\n\t acoustic emanations of the targeted machine, the smartphone will send\n\t new encrypted messages to that machine and re-construct the private\n\t key bit by bit. A 4096 bit RSA key used on a laptop can be revealed\n\t within an hour.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2013-12-18T00:00:00", "title": "gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4576"], "modified": "2014-04-30T00:00:00", "id": "2E5715F8-67F7-11E3-9811-B499BAAB0CBE", "href": "https://vuxml.freebsd.org/freebsd/2e5715f8-67f7-11e3-9811-b499baab0cbe.html", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T01:14:55", "references": ["http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html", "http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html", "http://eprint.iacr.org/2013/448"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libgcrypt", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.5.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-f10-libgcrypt", "operator": "lt"}], "description": "\nWerner Koch of the GNU project reports:\n\nNoteworthy changes in version 1.5.3:\nMitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...\nNote that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above\n\t problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG\n\t 1.4.14.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2013-07-18T00:00:00", "title": "GnuPG and Libgcrypt -- side-channel attack vulnerability", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4242"], "modified": "2013-07-18T00:00:00", "id": "689C2BF7-0701-11E3-9A25-002590860428", "href": "https://vuxml.freebsd.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "kaspersky": [{"lastseen": "2018-09-13T06:46:55", "references": [], "description": "### *CVSS*:\n5.8\n\n### *Detect date*:\n10/09/2013\n\n### *Severity*:\nHigh\n\n### *Description*:\nImproper permissions work was found in GnuPG. By exploiting this vulnerability malicious users can bypass cryptographic protection. This vulnerability can be exploited remotely via subkey.\n\n### *Affected products*:\nGnuPG 1.4 all versions \nGnuPG 2.0 all versions \nGnuPG 2.1 all versions\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[GnuPG / gpg](<https://threats.kaspersky.com/en/product/GnuPG-gpg/>)\n\n### *CVE-IDS*:\n[CVE-2013-4351](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4351>)", "edition": 12, "reporter": "Kaspersky Lab", "published": "2013-10-09T00:00:00", "title": "\r KLA10174SB vulnerability in GnuPG ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2013-4351"], "modified": "2018-09-10T00:00:00", "id": "KLA10174", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10174", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
