Bug 37922

Summary: libgcrypt11: Side channel attacks (4.0)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Daniel Tröder <troeder>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3 CC: gohmann, requate, walkenhorst
Version: UCS 4.0Flags: requate: Patch_Available+
Target Milestone: UCS 4.0-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Moritz Muehlenhoff univentionstaff 2015-03-03 06:51:20 CET 
Side-channel attack on El-Gamal keys (CVE-2014-3591)
Side-channel attack in the mpi_pow() function (CVE-2015-0837)
Comment 1 Arvid Requate univentionstaff 2015-04-30 19:27:08 CEST 
Fix available in Debian version 1.5.0-5+deb7u3
Comment 2 Daniel Tröder univentionstaff 2015-09-01 17:40:56 CEST 
Compiled 1.5.0-5+deb7u3 in scope errata4.0-3

YAML (r63391): 2015-09-01-libgcrypt11.yaml
Comment 3 Philipp Hahn univentionstaff 2015-09-09 17:11:56 CEST 
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y '?source-package(^libgcrypt11$)~i'
OK: DEBIAN_FRONTEND=noninteractive aptitude install -y '?source-package(^libgcrypt11$)?not(?name(udeb))'
OK: /usr/share/doc/libgcrypt11/changelog.Debian.gz
OK: wget -O- https://www.univention.de/ >/dev/null

OK: r63391
OK: CVE-2014-3591
OK: CVE-2015-0837
OK: 2015-09-01-libgcrypt11.yaml
OK: errata-announce -V 2015-09-01-libgcrypt11.yaml
Comment 4 Janek Walkenhorst univentionstaff 2015-09-15 14:38:13 CEST 
<http://errata.software-univention.de/ucs/4.0/319.html>