[SECURITY] [DLA 1080-1] gnupg security update

2017-08-3108:42:02

lists.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

AI Score

7.1

Confidence

High

EPSS

0.004

Percentile

73.2%

JSON

Package : gnupg
Version : 1.4.12-7+deb7u9
CVE ID : CVE-2017-7526

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and
Yuval Yarom discovered that gnupg is prone to a local side-channel
attack allowing full key recovery for RSA-1024.

See https://eprint.iacr.org/2017/627 for details.

For Debian 7 "Wheezy", these problems have been fixed in version
1.4.12-7+deb7u9.

We recommend that you upgrade your gnupg packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

OSVersionArchitecturePackageVersionFilename
Debian8mipsellibgcrypt20-udeb< 1.6.3-2+deb8u4libgcrypt20-udeb_1.6.3-2+deb8u4_mipsel.deb
Debian9amd64libgcrypt20-dbgsym< 1.7.6-2+deb9u1libgcrypt20-dbgsym_1.7.6-2+deb9u1_amd64.deb
Debian7i386gnupg< 1.4.12-7+deb7u9gnupg_1.4.12-7+deb7u9_i386.deb
Debian8armhflibgcrypt20-udeb< 1.6.3-2+deb8u4libgcrypt20-udeb_1.6.3-2+deb8u4_armhf.deb
Debian7i386gnupg-curl< 1.4.12-7+deb7u9gnupg-curl_1.4.12-7+deb7u9_i386.deb
Debian8arm64libgcrypt20-dbg< 1.6.3-2+deb8u4libgcrypt20-dbg_1.6.3-2+deb8u4_arm64.deb
Debian8armellibgcrypt20-dbg< 1.6.3-2+deb8u4libgcrypt20-dbg_1.6.3-2+deb8u4_armel.deb
Debian8kfreebsd-i386gnupg< 1.4.18-7+deb8u4gnupg_1.4.18-7+deb8u4_kfreebsd-i386.deb
Debian9arm64libgcrypt20-udeb< 1.7.6-2+deb9u1libgcrypt20-udeb_1.7.6-2+deb9u1_arm64.deb
Debian8kfreebsd-i386gpgv-udeb< 1.4.18-7+deb8u4gpgv-udeb_1.4.18-7+deb8u4_kfreebsd-i386.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	mipsel	libgcrypt20-udeb	< 1.6.3-2+deb8u4	libgcrypt20-udeb_1.6.3-2+deb8u4_mipsel.deb
Debian	9	amd64	libgcrypt20-dbgsym	< 1.7.6-2+deb9u1	libgcrypt20-dbgsym_1.7.6-2+deb9u1_amd64.deb
Debian	7	i386	gnupg	< 1.4.12-7+deb7u9	gnupg_1.4.12-7+deb7u9_i386.deb
Debian	8	armhf	libgcrypt20-udeb	< 1.6.3-2+deb8u4	libgcrypt20-udeb_1.6.3-2+deb8u4_armhf.deb
Debian	7	i386	gnupg-curl	< 1.4.12-7+deb7u9	gnupg-curl_1.4.12-7+deb7u9_i386.deb
Debian	8	arm64	libgcrypt20-dbg	< 1.6.3-2+deb8u4	libgcrypt20-dbg_1.6.3-2+deb8u4_arm64.deb
Debian	8	armel	libgcrypt20-dbg	< 1.6.3-2+deb8u4	libgcrypt20-dbg_1.6.3-2+deb8u4_armel.deb
Debian	8	kfreebsd-i386	gnupg	< 1.4.18-7+deb8u4	gnupg_1.4.18-7+deb8u4_kfreebsd-i386.deb
Debian	9	arm64	libgcrypt20-udeb	< 1.7.6-2+deb9u1	libgcrypt20-udeb_1.7.6-2+deb9u1_arm64.deb
Debian	8	kfreebsd-i386	gpgv-udeb	< 1.4.18-7+deb8u4	gpgv-udeb_1.4.18-7+deb8u4_kfreebsd-i386.deb