Gentoo Linux Security Advisory 201402-24 - Multiple vulnerabilities have been discovered in GnuPG and Libgcrypt, which may result in execution of arbitrary code, Denial of Service, or the disclosure of private keys. Versions less than 2.0.22 are affected.
b179c24948b12fd20220e710cd0fc8df88dcb5a2e4985677436d991735781ae4Red Hat Security Advisory 2013-1458-01 - The GNU Privacy Guard is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process could possibly use this flaw to obtain portions of the RSA secret key.
4ed140d307f2bb993d4c7916c9f09e01858d795fc86538c67ede4581485941e0Red Hat Security Advisory 2013-1457-01 - The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process could possibly use this flaw to obtain portions of the RSA secret key.
f0bc34c54d779918b986683d5fd801d334fea4b81db30f56c90de612a52fd94cSlackware Security Advisory - New gnupg and libgcrypt packages are available for Slackware 12.1, 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix a security issue. New libgpg-error packages are also available for Slackware 13.1 and older as the supplied version wasn't new enough to compile the fixed version of libgcrypt. Related CVE Numbers: CVE-2013-4242,CVE-2013-4242.
c1175683a5f439679477f3080f9d765b49fc384e8d97d6c0659f5a5bd7a5ed81Mandriva Linux Security Advisory 2013-205 - A vulnerability has been discovered and corrected in gnupg and in libgcrypt. Yarom and Falkner discovered that RSA secret keys in applications using GnuPG 1.x, and using the libgcrypt library, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. The updated packages have been patched to correct this issue.
288a8d5643e7fb7a1b87ff7609e628b2915d2cebf598e44fcb359f5b1096180fUbuntu Security Notice 1923-1 - Yuval Yarom and Katrina Falkner discovered a timing-based information leak, known as Flush+Reload, that could be used to trace execution in programs. GnuPG and Libgcrypt followed different execution paths based on key-related data, which could be used to expose the contents of private keys.
4b34c19540e898abdf725a966d6352bc929dfc4611f5200f686251cb2918ab0cDebian Linux Security Advisory 2731-1 - Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system.
f0a1666c4812d4dc7cb9b02be9a71e7f903c37c2ee68d1a36864059533ee2595Debian Linux Security Advisory 2730-1 - Yarom and Falkner discovered that RSA secret keys could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system.
a9eb5a7847a3399ecba5950187fddf262cc33613e718ae36cd8548159d9c4643
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed