Arch Linux Security Advisory ASA-201608-18 ========================================== Severity: Low Date : 2016-08-21 CVE-ID : CVE-2016-6313 Package : libgcrypt Type : information disclosure Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libgcrypt before version 1.7.3-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 1.7.3-1. # pacman -Syu "libgcrypt>=1.7.3-1" The problem has been fixed upstream in version 1.7.3. Workaround ========== None. Description =========== Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions. Impact ====== A remote attacker, given access to enough entropy previously generated from the RNG, can predict its output. Such access to enough entropy has been found to be very unlikely in most situations, even for a local attacker. References ========== https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html https://access.redhat.com/security/cve/CVE-2016-6313