ArchLinux: 201609-14: lib32-libgcrypt: information disclosure
Summary
Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.
Resolution
Upgrade to 1.7.3-1.
# pacman -Syu "lib32-libgcrypt>=1.7.3-1"
The problem has been fixed upstream in version 1.7.3.
References
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html https://access.redhat.com/security/cve/CVE-2016-6313
Workaround
None.