ESB-2018.1903 - [Debian] libgcrypt20: Access privileged data - Existing account 2018-07-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1903
                       libgcrypt patched in Debian 8
                                2 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libgcrypt20
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0495  

Reference:         ESB-2018.1780
                   ESB-2018.1766

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : libgcrypt20
Version        : 1.6.3-2+deb8u5
CVE ID         : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack
allowing recovery of ECDSA private keys.

For Debian 8 "Jessie", these problems have been fixed in version
1.6.3-2+deb8u5.

We recommend that you upgrade your libgcrypt20 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAls15/8ACgkQnUbEiOQ2
gwIzEBAAjF5IjFf7yX2DCfwuaISIYN0xYPcbRu7P+SfLLVK6+llipTQ7s3HYs8kz
wgCSNHT2AwPq6h0ezXog5/CmR3Ayz6lMHqtMm3/2vTx32whBnf3gzhzhXWwAniU6
9fIZWXa71PZMl46S6PT0KXpfyD9hUQqQ6EggfJBrPYp4o1YQUvB9ogeqC1kHm2I4
oN+SpClRx0BVEYi6dEWmf5HbG4VOLRHAOybq6u1ZD0gOFpnKaASBLhjx9JbnjdlF
XNcGfvSQL5RyP9H8kO3+AfeTu8S0a12QhuCkF07rVMjTkm43CG4MvnwQ81Nhr/Hy
3CsnrzKwtPJSxa/e94p+mOjRFEf0OpJYwAXl+DpOPGdwcrrMauiWOMv9TAemzxwI
1jTQOkz1lohRCpRyqZeev9wjF0B8CU8MbHXHaB8HwD6bhvSm9Fw8y9bDaPxvrCvU
NHQrSN0kYmgBmQWTG9t9+z07+915kpbI8Bhtn57C6ibgq3E4BXj2w/0urRo9bV42
YodC1qT5f/BYTXWM5U6PUYHCklXjQmcdITPbMXK0W/JhuYaqaUoQd1z8XyAC2Db4
DJP9uKydnwEsE8ZT9BgchCXGWpCjyQEI7Z96WQH9cLQKLtlPXPx3aF6BoExMzv6N
qKR2uBIHV7Vawu8sCYMDojYuXasgLOUtlfLUtwglExMMmy/6DNc=
=d+JQ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzluYGaOgq3Tt24GAQhr7w//RVcxQPp1VxLmXYpVryF4nX9ojcjSxCUY
wqfOSk6Qi15pmDO11UbxeAsNG7jHZz/mD78fOl53KrhRjzgJ/jFQLzcuvJNQSR1/
QFzosjL+9pEPJonbwpOaI1NTpFn7poBi+GcDq/oTyUF/NRmban06q6KZElE8+Fds
7ciAcC6GYFyWPQE8LPrZqgNYQ2acuiGydvDTmnnFStFgmMC9XvN90+KmgOgFgtxJ
O6MrOjJM9ao8T75I5nWwgm2gyRImCQEW3Nb1LoYlthFKTVJ/WTlStTW2ooqAzZBg
aKvhGWz71euxqZdWnfzf4fWTJ4cH3GPVCYhtJhgS/mGZdd/WxVY4o4d0R0TO1anN
fbA7jiR+ER1Npzug3Hf8jUQiTTmhi9nARi0xJ/gXflCYQxRoWZTXyEsv3LgBDMKt
FXCPjAe6zhmRxmdo52FruM6vjW8rXptc/SxqYqM3JVGg/krSbf8a281Ofcfi1ENj
pDZ7BlgwaT3awtzXjhI4LnXpcS4dGE+YILN2J1uXOx7LUyRvH4/yCqolKJ50qSio
g7vj2h7e30AbvyT1hBZMrvYxtLg1nxB4TODSeWK904pQ17cNE1VlSeyhZfXOV/KJ
I/sOZ6wobFEl/plzGYDEYzMeobFKdoAIRGGUWRUMB1IhOT1zw0htd17IMfThryWz
0TDP6yXJCDs=
=y4OW
-----END PGP SIGNATURE-----

« Back to bulletins