Medium: libgcrypt

Issue Overview: Fix a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak. CVE-2015-0837 Fix a side-channel attack which can potentially lead to an information leak. CVE-2014-3591 Libgcrypt before 1.5.4, as used in...

krb5: multiple issues

CVE-2014-5355 denial of service When a server process uses the krb5recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example...

SUSE-SU-2015:1179-1 Security update for libgcrypt

This update of libgcrypt fixes one security issue and brings various FIPS 140-2 related improvements. libgcrypt now uses ciphertext blinding for Elgamal decryption CVE-2014-3591 FIPS 140-2 related changes: The library performs its self-tests when the module is complete the -hmac file is also...

DLA-190-1 libgcrypt11 - security update

Bulletin has no description...

Debian DSA-3185-1 : libgcrypt11 - security update

Multiple vulnerabilities were discovered in libgcrypt : - CVE-2014-3591 The Elgamal decryption routine was susceptible to a side-channel attack discovered by researchers of Tel Aviv University. Ciphertext blinding was enabled to counteract it. Note that this may have a quite noticeable impact on...

Debian Security Advisory DSA 3184-1 (gnupg - security update)

Multiple vulnerabilities were discovered in GnuPG, the GNU Privacy Guard: CVE-2014-3591 The Elgamal decryption routine was susceptible to a side-channel attack discovered by researchers of Tel Aviv University. Ciphertext blinding was enabled to counteract it. Note that this may have a quite...

Debian Security Advisory DSA 3185-1 (libgcrypt11 - security update)

Multiple vulnerabilities were discovered in libgcrypt: CVE-2014-3591 The Elgamal decryption routine was susceptible to a side-channel attack discovered by researchers of Tel Aviv University. Ciphertext blinding was enabled to counteract it. Note that this may have a quite noticeable impact on...

Updated owasp-esapi-java packages fix CVE-2013-5679

Updated owasp-esapi-java packages fix security vulnerability: The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API ESAPI for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier f...

SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack

A flaw was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining CBC mode. This flaw allows a man-in-the-middle MITM attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a...

UBUNTU-CVE-2014-3591

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during...

RHEL 6 : JBoss EWP (RHSA-2013:0195)

Updated JBoss Enterprise Web Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability...

RHEL 4 : JBoss EWP (RHSA-2013:0197)

Updated JBoss Enterprise Web Platform 5.2.0 packages that fix multiple security issues, various bugs, and add several enhancements are now available for Red Hat Enterprise Linux 4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability...

CVE-2014-6133

IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors...

Avolve Software ProjectDox Multiple Vulnerability Disclosure

--------------------------------------------------------------------- Product: ProjectDox Vendor: Avolve Software Vulnerable Version: 8.1 Tested Version: 8.1 Vendor Notification: May 30, 2014 Public Disclosure: September 3, 2014 Vulnerability Type: Cross-Site Scripting CWE-79 CVE Reference:...

CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed...

DEBIAN-CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed...

CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed...

F5 Networks BIG-IP : TLS/SSL RC4 vulnerability (K14638)

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. CVE-2013-2566 Impact...

[USN-2339-1] GnuPG vulnerability

========================================================================== Ubuntu Security Notice USN-2339-1 September 03, 2014 gnupg vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: -...

Ubuntu 10.04 LTS / 12.04 LTS : gnupg vulnerability (USN-2339-1)

Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via physical side channels. A local attacker could use this attack to possibly recover private keys. Note that Tenable Network Security has extracted the preceding description...