Advisories » MGASA-2016-0292

Updated gnupg/libgcrypt packages fix security vulnerability

Publication date: 31 Aug 2016
Modification date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6313

Description

Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of
Technology discovered a flaw in the mixing functions of GnuPG's random
number generator. An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output (CVE-2016-6313).

The gnupg package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library.  The
libgcrypt package has also been patched to correct this issue.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19206
• https://www.debian.org/security/2016/dsa-3649
• https://www.debian.org/security/2016/dsa-3650
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6313

SRPMS

5/core

• gnupg-1.4.19-1.2.mga5
• libgcrypt-1.5.4-5.3.mga5