Univention Bugzilla – Bug 47562
libgcrypt20: Multiple issues (4.2)
Last modified: 2018-08-15 16:20:52 CEST
New Debian libgcrypt20 1.6.3-2+deb8u5 fixes: This update addresses the following issue(s): * * Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. (CVE-2018-0495) CVE_2018-6829 is open TEMP-0000000-96B2E9 is open 1.6.3-2+deb8u5 (Fri, 22 Jun 2018 11:35:48 +0200) * Non-maintainer upload by the LTS team. * ecc: Add blinding for ECDSA (CVE-2018-0495) * CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
--- mirror/ftp/4.2/unmaintained/4.2-4/source/libgcrypt20_1.6.3-2+deb8u4.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/libgcrypt20_1.6.3-2+deb8u5.dsc @@ -1,3 +1,8 @@ +1.6.3-2+deb8u5 [Fri, 22 Jun 2018 11:35:48 +0200] Emilio Pozuelo Monfort <pochu@debian.org>: + + * Non-maintainer upload by the LTS team. + * ecc: Add blinding for ECDSA (CVE-2018-0495) + 1.6.3-2+deb8u4 [Sat, 01 Jul 2017 11:53:07 +0200] Andreas Metzler <ametzler@debian.org>: * 22_CVE-2017-752*.patch from upstream 1.7.8 release: Mitigate a <http://10.200.17.11/4.2-4/#3453009868777944519>
OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] 5f292722cb Bug #47562: libgcrypt20 1.6.3-2+deb8u5 doc/errata/staging/libgcrypt20.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) [4.2-4] bb0125622a Bug #47562: libgcrypt20 1.6.3-2+deb8u5 doc/errata/staging/libgcrypt20.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.2/460.html>