| Summary: | gnupg, libgcrypt new security issues CVE-2014-3591 and CVE-2015-0837 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/635765/ | ||
| Whiteboard: | has_procedure MGA4-32-OK MGA4-64-OK advisory | ||
| Source RPM: | gnupg, libgcrypt | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-06 23:12:19 CET
David Walser
2015-03-06 23:12:33 CET
Blocks:
(none) =>
14674 Updated packages uploaded for Cauldron. Patched packages uploaded for Mageia 4. Advisory: ======================== Updated gnupg and libgcrypt packages fixes security vulnerabilities: GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591). GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak (CVE-2015-0837). The gnupg package has been patched to correct these issues. GnuPG2 is vulnerable to these issues through the libgcrypt library. The issues were fixed in libgcrypt 1.6.3. The libgcrypt package in Mageia, at version 1.5.4, was only vulnerable to the CVE-2014-3591 issue. It has also been patched to correct this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837 https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html https://lists.fedoraproject.org/pipermail/package-announce/2015-March/150931.html ======================== Updated packages in core/updates_testing: ======================== gnupg-1.4.16-1.2.mga4 libgcrypt11-1.5.4-1.1.mga4 libgcrypt-devel-1.5.4-1.1.mga4 from SRPMS: gnupg-1.4.16-1.2.mga4.src.rpm libgcrypt-1.5.4-1.1.mga4.src.rpm Version:
Cauldron =>
4 Testing procedures: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 https://bugs.mageia.org/show_bug.cgi?id=10850#c11 Use the "gpg" command to test gnupg. Replace "gpg" with "gpg2" to test gnupg2. There's also a PoC for CVE-2014-3591, not that I expect anyone to try it :o) http://www.cs.tau.ac.il/~tromer/radioexp/ Whiteboard:
(none) =>
has_procedure Tested both gpg and gpg2 using the first half of Claire's procedure here: https://bugs.mageia.org/show_bug.cgi?id=11306#c3 I found this neat trick for speeding up the key generation, because it was taking forever and not completing (working over SSH didn't help): http://it.toolbox.com/blogs/lim/how-to-generate-enough-entropy-for-gpg-key-generation-process-on-fedora-linux-38022 Testing complete Mageia 4 i586. Whiteboard:
has_procedure =>
has_procedure MGA4-32-OK Testing on Mageia 4x64 real hardware following Claire's procedure mentioned in Comment 2 From current packages : --------------------- gnupg-1.4.16-1.1.mga4 lib64gcrypt11-1.5.4-1.mga4 To updated testing packages : ---------------------------- gnupg-1.4.16-1.2.mga4 lib64gcrypt11-1.5.4-1.1.mga4 With gpg and gpg2 All OK CC:
(none) =>
olchal Advisory uploaded, validating. Please push to 4 core/updates. Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0104.html Status:
NEW =>
RESOLVED |