Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 448
Alerts This Week
Warning Icon 1 448

Ubuntu 16.04 & 14.04: USN-3733-1 GnuPG Cache Side-Channel Attack

ubuntu
Calendar Grey August 7, 2018
Dist Ubuntu Esm H88
GnuPG reveals critical data due to a cache exploit. Ensure to apply the latest patch to resolve this vulnerability for Ubuntu 14.04 and 16.04 LTS.
GnuPG could be made to expose sensitive information.

Summary

GnuPG could be made to expose sensitive information.

Software Description:

- - gnupg: GNU privacy guard - a free PGP replacement

Details:

Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink,

Nadia Heninger, Tanja Lange, Christine van Vredendaal, and Yuval Yarom

discovered that GnuPG is vulnerable to a cache side-channel attack. A local

attacker could use this attack to recover RSA private keys.

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
  gnupg                           1.4.20-1ubuntu3.3
  gnupg-curl                      1.4.20-1ubuntu3.3
  gpgv                            1.4.20-1ubuntu3.3

Ubuntu 14.04 LTS:
  gnupg                           1.4.16-1ubuntu2.6
  gnupg-curl                      1.4.16-1ubuntu2.6
  gpgv                            1.4.16-1ubuntu2.6

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3733-1

CVE-2017-7526, https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1785176

Severity
critical
Lowest
Low
Medium
High
Critical

Hash: SHA512

Package Information

-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEiOlTC8vdwgBRe16w9JjS2d59rZwFAltpWFIACgkQ9JjS2d59
rZyPrQf/VPt2TDffx0VcATRASWbufWwfCoLqi1WctpRX4AEACWX1Y9yv3BVhql/X
KFMfULBhtNh5D41o7H1SHUhQPdxSYStt/0meXeU90ufgmdw5xacNTTUvQtDbMp+P
OZj7dm/zer8WYbgqHGWWLcuu6gL5TQ+6Bqlxn6VnfZunUXSEL+EXWOQgSflgBae0
78pixw2AfBy82kB+PFcG8JkX9P4JGSjE3iJhXOer6RbiAAIhQ4VAM8NXHvENK3Ru
aHzu/NrEAHIlZGwYiwOCl7gFZn2X+BWJAVBEzNUSqu+p4+ZhZON127dtIo0Ni62J
wZltX5i0XZQrHOxzukbimZsiv+aM/g==X0Hg
-----END PGP SIGNATURE-----
--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.