Univention Bugzilla – Bug 47288
libgcrypt20: Multiple issues (4.3)
Last modified: 2018-07-04 14:54:01 CEST
New Debian libgcrypt20 1.7.6-2+deb9u3 fixes: This update addresses the following issue(s): * This update addresses the following issue(s): * * Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. (CVE-2018-0495) CVE_2018-6829 is open 1.7.6-2+deb9u3 (Fri, 15 Jun 2018 11:58:05 +0200) * Non-maintainer upload by the Security Team. * ecc: Add blinding for ECDSA (CVE-2018-0495) * CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
[4.3-1] 94b087fd2d Bug #47288: libgcrypt20 1.7.6-2+deb9u3 doc/errata/staging/libgcrypt20.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) <http://10.200.17.11/4.3-1/#2129768904787194478>
<http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/ErrataValidation/233/console> OK: Jenkins <http://jenkins.knut.univention.de:8080/job/UCS-4.3/job/UCS-4.3-1/job/AutotestJoin/lastCompletedBuild/testReport/>
<http://errata.software-univention.de/ucs/4.3/133.html>