Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201707-1 ======================================== Severity: High Date : 2017-07-03 CVE-ID : CVE-2017-7526 Package : libgcrypt Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-338 Summary ====== The package libgcrypt before version 1.7.8-1 is vulnerable to private key recovery. Resolution ========= Upgrade to 1.7.8-1. # pacman -Syu "libgcrypt>=1.7.8-1" The problem has been fixed upstream in version 1.7.8. Workaround ========= None. Description ========== The pattern of squarings and multiplications in left-to-right sliding windows in libgcrypt <= 1.7.7 leaks significant information about exponent bits, allowing for the very efficient recovery of a full 1024-bit RSA key. Impact ===== A local attacker can use a side-channel attack to recover a secret private key. References ========= https://eprint.iacr.org/2017/627 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=a9f612def801c8145d551d995475e5d51a4c988c;hp=0e6788517eac6f508fa32ec5d5c1cada7fb980bc https://security.archlinux.org/CVE-2017-7526