Advisories » MGASA-2016-0072

Updated libgcrypt packages fix security vulnerabilities

Publication date: 17 Feb 2016
Modification date: 17 Feb 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7511

Description

Updated libgcrypt packages fix security vulnerability:

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that
the ECDH secret decryption keys in applications using the libgcrypt20 library
could be leaked via a side-channel attack (CVE-2015-7511).

The libgcrypt package was also updated to include countermeasures against
Lenstra's fault attack on RSA Chinese Remainder Theorem optimization in RSA.
A signature verification step was updated to protect against leaks of private
keys in case of hardware faults or implementation errors in numeric
libraries.  This issue is equivalent to the CVE-2015-5738 issue in gnupg.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17742
• http://lists.opensuse.org/opensuse-updates/2015-09/msg00033.html
• https://www.debian.org/security/2016/dsa-3474
• https://bugs.mageia.org/show_bug.cgi?id=16806
• https://bugs.mageia.org/show_bug.cgi?id=17742
• https://www.cve.org/CVERecord?id=CVE-2015-7511

SRPMS

5/core

• libgcrypt-1.5.4-5.2.mga5