Updated libgcrypt packages fix security vulnerabilities
Publication date: 17 Feb 2016Modification date: 17 Feb 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7511
Description
Updated libgcrypt packages fix security vulnerability:
Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that
the ECDH secret decryption keys in applications using the libgcrypt20 library
could be leaked via a side-channel attack (CVE-2015-7511).
The libgcrypt package was also updated to include countermeasures against
Lenstra's fault attack on RSA Chinese Remainder Theorem optimization in RSA.
A signature verification step was updated to protect against leaks of private
keys in case of hardware faults or implementation errors in numeric
libraries. This issue is equivalent to the CVE-2015-5738 issue in gnupg.
References
- https://bugs.mageia.org/show_bug.cgi?id=17742
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00033.html
- https://www.debian.org/security/2016/dsa-3474
- https://bugs.mageia.org/show_bug.cgi?id=16806
- https://bugs.mageia.org/show_bug.cgi?id=17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511
SRPMS
5/core
- libgcrypt-1.5.4-5.2.mga5