Stay Secure with the Latest Linux Advisories

security advisoryhigh severityremote access

Arch Linux: 2016-02-19 Critical Vulnerability in Libgcrypt Secret Keys

The package libgcrypt before version 1.6.5-1 is vulnerable to a side-channel attack leading to extraction of secret decryption keys. . Arch Linux Security Advisory ASA-201602-19 ========================================= Severity: High Date : 2016-02-24 CVE-ID : CVE-2015-7511 Package : libgcrypt Type : secret key extraction Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package libgcrypt before version 1.6.5-1 is vulnerable to a side-channel attack leading to extraction of secret decryption keys. Resolution ========= Upgrade to 1.6.5-1. # pacman -Syu "libgcrypt> =1.6.5-1" The problem has been fixed upstream in version 1.6.5. Workaround ========= None. Description ========== A vulnerability was found in a way the ECDH encryption algorithm decrypts data. An attacker with a specialized setup can extract the secret decryption key from a target located in an adjacent room within seconds. This is done by measuring the target's electromagnetic emanations. Impact ===== A remote attacker located in an adjacent room is able to extract the secret decryption key by measuring the target's electromagnetic emanations. References ========= https://access.redhat.com/security/cve/CVE-2015-7511 https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html . Arch Linux Security Notice regarding libgcrypt highlights a critical threat stemming from a vulnerability that allows for secret key extraction.. libgcrypt, Secret Key Attack, Remote Exploit, High Severity Risk. . Severity: Important. LinuxSecurity.com Team

Feb 25, 2016 •Important ArchLinux