Bug 47562

Summary: libgcrypt20: Multiple issues (4.2)
Product: UCS Reporter: Quality Assurance <qa>
Component: Security updatesAssignee: Quality Assurance <qa>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3    
Version: UCS 4.2   
Target Milestone: UCS 4.2-4-errata   
Hardware: All   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score: 5.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description Quality Assurance univentionstaff 2018-08-09 12:26:57 CEST 
New Debian libgcrypt20 1.6.3-2+deb8u5 fixes:
This update addresses the following issue(s):
* 
* Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. (CVE-2018-0495)
CVE_2018-6829 is open
TEMP-0000000-96B2E9 is open

1.6.3-2+deb8u5 (Fri, 22 Jun 2018 11:35:48 +0200) * Non-maintainer upload by the LTS team. * ecc: Add blinding for ECDSA (CVE-2018-0495)
* CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
Comment 1 Quality Assurance univentionstaff 2018-08-09 18:46:44 CEST 
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libgcrypt20_1.6.3-2+deb8u4.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/libgcrypt20_1.6.3-2+deb8u5.dsc
@@ -1,3 +1,8 @@
+1.6.3-2+deb8u5 [Fri, 22 Jun 2018 11:35:48 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * ecc: Add blinding for ECDSA (CVE-2018-0495)
+
 1.6.3-2+deb8u4 [Sat, 01 Jul 2017 11:53:07 +0200] Andreas Metzler <ametzler@debian.org>:
 
   * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a

<http://10.200.17.11/4.2-4/#3453009868777944519>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 11:48:46 CEST 
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] 5f292722cb Bug #47562: libgcrypt20 1.6.3-2+deb8u5
 doc/errata/staging/libgcrypt20.yaml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

[4.2-4] bb0125622a Bug #47562: libgcrypt20 1.6.3-2+deb8u5
 doc/errata/staging/libgcrypt20.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:52 CEST 
<http://errata.software-univention.de/ucs/4.2/460.html>