[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1015-1] libgcrypt11 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libgcrypt11
Version        : 1.5.0-5+deb7u6
CVE ID         : CVE-2017-7526

It was discovered that there was a key disclosure vulnerability in libgcrypt11
a library of cryptographic routines:

  It is well known that constant-time implementations of modular exponentiation
  cannot use sliding windows. However, software libraries such as Libgcrypt,
  used by GnuPG, continue to use sliding windows. It is widely believed that,
  even if the complete pattern of squarings and multiplications is observed
  through a side-channel attack, the number of exponent bits leaked is not
  sufficient to carry out a full key-recovery attack against RSA.
  Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit
  sliding windows leak only 33% of the bits.

    -- Sliding right into disaster: Left-to-right sliding windows leak
       <https://eprint.iacr.org/2017/627>

For Debian 7 "Wheezy", this issue has been fixed in libgcrypt11 version
1.5.0-5+deb7u6.

We recommend that you upgrade your libgcrypt11 packages.


Regards,

- -- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlld+e4ACgkQHpU+J9Qx
HljoUQ/+KDkJy7PCXc8tyfnZ4N1t4AAmkgx1FwUuE7V9M5NEmv7SMG0hFuno4OMo
EntioM5Oek2DC2EF6mNlbbJNqXHqrR+pBQThHgFp0nJQZqcQDxgFApuxO2BBZk2q
s9szWrzSRgZXmEPO/aYxw59QAAptA8j6ZpokrPPQM3jSP4Ou3BCEHqOTpNkNdr36
ZsCY/AYPzbv6HEn0upNej7KZQniar8gWBplIpZzlrs5CFd4YxD+1G3aPmlMVsZYB
6U1IYaPcA/1+PcT+vhBAvvseVV/VFGK4+AZfBMalR8SPKSRfKtdFsVbHCj88AXZP
C3UUtnCBJQlj0q6Ei0uyLlfLaeBKFFOpgsk09SUq7GVvkWF3Bg1mz20QKxt5iwSN
EHA9aC7mrpitd1LAVsOd249qIqG8HkPY8+JAzPQpSZTRLh6XBM/h5yFqtH31yfE6
MjaltqrmLe+ykIuNDBi51U3dV3NlS5sHHAeU/TXrTQJNFE7e5QUsKwmtsR9IHwbx
eg9KjVsWDhWO8oY/huTd2xNgFwjErbUp37H4n7TGKB4P0vORlP9pUVkxap/S0jaa
SMO89wvJyRvVIAr8kbxcGkHOl//gAZlAE/aFURn5OZxakX7kLbG3IIB+TjUQoXkG
oVwLoJK9h9DA4S4gWs/ZIe7N14FGk/KdLA3EgXrrDidNomp2Q3A=
=ifY6
-----END PGP SIGNATURE-----


Reply to: