Summary: | <dev-libs/libgcrypt-1.8.5: ECDSA timing attack in the libgcrypt20 cryptographic library (CVE-2019-13627) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | crypto+disabled, k_f |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: |
dev-libs/libgcrypt-1.8.5
|
Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2019-08-30 08:52:00 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7dcf27c125de973322f6b2199731e689837d714b commit 7dcf27c125de973322f6b2199731e689837d714b Author: Kristian Fiskerstrand <k_f@gentoo.org> AuthorDate: 2019-08-30 08:59:15 +0000 Commit: Kristian Fiskerstrand <k_f@gentoo.org> CommitDate: 2019-08-30 08:59:43 +0000 dev-libs/libgcrypt: New upstream version 1.8.5 Bug: https://bugs.gentoo.org/693108 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org> dev-libs/libgcrypt/Manifest | 1 + dev-libs/libgcrypt/libgcrypt-1.8.5.ebuild | 76 +++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) Arches, please stabilize dev-libs/libgcrypt-1.8.5 alpha stable s390 stable ppc stable amd64 stable ppc64 stable sparc stable x86 stable hppa stable arm stable arm64 stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. New GLSA request filed. This issue was resolved and addressed in GLSA 202003-32 at https://security.gentoo.org/glsa/202003-32 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architectures. SuperH port disbanded. m68k dropped stable keywords @maintainer(s), please cleanup CVE-2019-12904 (https://nvd.nist.gov/vuln/detail/CVE-2019-12904): In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) @maintainer(s), ping, please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8523b6a86cb32972ea1f06e2bab05a89e9e4157 commit b8523b6a86cb32972ea1f06e2bab05a89e9e4157 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 00:55:44 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 00:56:05 +0000 dev-libs/libgcrypt: drop vulnerable Bug: https://bugs.gentoo.org/693108 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-libs/libgcrypt/Manifest | 2 - dev-libs/libgcrypt/libgcrypt-1.8.3-r1.ebuild | 75 ---------------------------- dev-libs/libgcrypt/libgcrypt-1.8.3.ebuild | 74 --------------------------- dev-libs/libgcrypt/libgcrypt-1.8.4.ebuild | 75 ---------------------------- 4 files changed, 226 deletions(-) |