Summary: | <app-crypt/gnupg-1.4.14, <dev-libs/libgcrypt-1.5.3: Flush+Reload cache side-channel attack on RSA secret keys (CVE-2013-4242) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Arfrever Frehtes Taifersar Arahesis <arfrever.fta> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alonbl |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://www.openwall.com/lists/oss-security/2013/07/26/7 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Arfrever Frehtes Taifersar Arahesis
2013-07-25 23:34:33 UTC
Arches, please stabilize: =dev-libs/libgcrypt-1.5.3 Target keywords: alpha,amd64,arm,hppa,ia64,m68k,ppc,ppc64,s390,sh,sparc,x86 and =app-crypt/gnupg-1.4.14 Target keywords: alpha,amd64,arm,hppa,ia64,ppc,ppc64,s390,sh,sparc,x86 amd64 stable Stable for HPPA. x86 stable ppc stable arm stable alpha stable ia64 stable ppc64 stable s390 stable sparc stable sh stable CVE-2013-4242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4242): GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. GLSA vote: yes m68k gone from stable, removing from CC. @maintainers: clean affected, please. GLSA vote: yes, added to existing draft. crypto done This is A for libgcrypt Maintainer(s), please drop the vulnerable version. <dev-libs/libgcrypt-1.5.3 Thank you for cleaning up gnupg! Cleanup's apparently been done. This issue was resolved and addressed in GLSA 201402-24 at http://security.gentoo.org/glsa/glsa-201402-24.xml by GLSA coordinator Chris Reffett (creffett). |