Bug 47562 - libgcrypt20: Multiple issues (4.2)
libgcrypt20: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-09 12:26 CEST by Quality Assurance
Modified: 2018-08-15 16:20 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-09 12:26:57 CEST
New Debian libgcrypt20 1.6.3-2+deb8u5 fixes:
This update addresses the following issue(s):
* 
* Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. (CVE-2018-0495)
CVE_2018-6829 is open
TEMP-0000000-96B2E9 is open

1.6.3-2+deb8u5 (Fri, 22 Jun 2018 11:35:48 +0200) * Non-maintainer upload by the LTS team. * ecc: Add blinding for ECDSA (CVE-2018-0495)
* CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
Comment 1 Quality Assurance univentionstaff 2018-08-09 18:46:44 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libgcrypt20_1.6.3-2+deb8u4.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/libgcrypt20_1.6.3-2+deb8u5.dsc
@@ -1,3 +1,8 @@
+1.6.3-2+deb8u5 [Fri, 22 Jun 2018 11:35:48 +0200] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * ecc: Add blinding for ECDSA (CVE-2018-0495)
+
 1.6.3-2+deb8u4 [Sat, 01 Jul 2017 11:53:07 +0200] Andreas Metzler <ametzler@debian.org>:
 
   * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a

<http://10.200.17.11/4.2-4/#3453009868777944519>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 11:48:46 CEST
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] 5f292722cb Bug #47562: libgcrypt20 1.6.3-2+deb8u5
 doc/errata/staging/libgcrypt20.yaml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

[4.2-4] bb0125622a Bug #47562: libgcrypt20 1.6.3-2+deb8u5
 doc/errata/staging/libgcrypt20.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:52 CEST
<http://errata.software-univention.de/ucs/4.2/460.html>