Gentoo: GLSA-201610-04: libgcrypt: Multiple vulnerabilities
Summary
Multiple vulnerabilities have been discovered in libgcrypt. Please review the CVE identifiers referenced below for details.
Resolution
All libgcrypt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libgcrypt-1.7.3"
References
[ 1 ] CVE-2014-3591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3591
[ 2 ] CVE-2015-0837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0837
[ 3 ] CVE-2015-7511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7511
[ 4 ] CVE-2016-6313
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6313
[ 5 ] Factoring RSA Keys With TLS Perfect Forward Secrecy
https://www.redhat.com/en/blog/factoring-rsa-keys-tls-perfect-forward-secrecy
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201610-04
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
Synopsis
Multiple vulnerabilities have been fixed in libgcrypt,the worst of which results in predictable output from the random number generator.
Background
libgcrypt is a general purpose cryptographic library derived out of GnuPG.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libgcrypt < 1.7.3 >= 1.7.3
Impact
===== Side-channel attacks can leak private key information. A separate critical bug allows an attacker who obtains 4640 bits from the RNG to trivially predict the next 160 bits of output.
Workaround
There is no known workaround at this time.