Bug 15610 - libgcrypt new security issue CVE-2015-0837
Summary: libgcrypt new security issue CVE-2015-0837
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/635765/
Whiteboard: has_procedure advisory MGA4-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-01 19:16 CEST by David Walser
Modified: 2015-09-13 23:59 CEST (History)
1 user (show)

See Also:
Source RPM: libgcrypt-1.5.4-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-01 19:16:09 CEST
Ubuntu has issued an advisory today (April 1):
http://www.ubuntu.com/usn/usn-2555-1/

We previously fixed this for gnupg in Bug 15441, but it turns out libgcrypt 1.5 is affected after all.  It's a minor issue, so I've checked the patch into SVN, and it will be included in the next future update.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-09-02 17:52:20 CEST
Submitting this update now to get it in before Mageia 4 EOL.

This can be tested with gnupg2 in Bug 15483.

Advisory:
========================

Updated libgcrypt packages fix security vulnerability:

Daniel Genkin, Adi Shamir, and Eran Tromer discovered that Libgcrypt was
susceptible to an attack via physical side channels. A local attacker could
use this attack to possibly recover private keys (CVE-2015-0837).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0837
http://www.ubuntu.com/usn/usn-2555-1/
========================

Updated packages in core/updates_testing:
========================
libgcrypt11-1.5.4-1.2.mga4
libgcrypt-devel-1.5.4-1.2.mga4

from libgcrypt-1.5.4-1.2.mga4.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-09-08 22:00:11 CEST
Testing complete Mageia 4 i586 using the procedure.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 claire robinson 2015-09-13 22:16:25 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-09-13 23:59:26 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0360.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.