[ASA-201806-10] libgcrypt: private key recovery
foxboron at archlinux.org
Mon Jun 18 19:06:21 UTC 2018
Arch Linux Security Advisory ASA-201806-10
Date : 2018-06-16
CVE-ID : CVE-2018-0495
Package : libgcrypt
Type : private key recovery
Remote : No
Link : https://security.archlinux.org/AVG-719
The package libgcrypt before version 1.8.3-1 is vulnerable to private
Upgrade to 1.8.3-1.
# pacman -Syu "libgcrypt>=1.8.3-1"
The problem has been fixed upstream in version 1.8.3.
An implementation flaw has been discovered in multiple cryptographic
libraries that allows a side-channel based attacker to recover ECDSA or
DSA private keys. When these cryptographic libraries use the private
key to create a signature, such as for a TLS or SSH connection, they
inadvertently leak information through memory caches. An unprivileged
attacker running on the same machine can collect the information from a
few thousand signatures and recover the value of the private key.
An unprivileged user might be able to retrieve private keys on the
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security