Bug 3268 - [UPDATE REQUEST] [UPSTREAM UPDATE] libgcrypt
: [UPDATE REQUEST] [UPSTREAM UPDATE] libgcrypt
Status: RESOLVED FIXED
Product: Server Bugs
Classification: ROSA Server
Component: Main Packages
: unspecified
: All Linux
: Normal normal
: ---
Assigned To: Andrew Lukoshko
: ROSA Server Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-28 13:51 MSK by Andrew Lukoshko
Modified: 2013-12-03 16:12 MSK (History)
1 user (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
andrew.lukoshko: published_server+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Lukoshko 2013-11-28 13:51:16 MSK
It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload
cache side-channel attack on the RSA secret exponent. An attacker able to
execute a process on the logical CPU that shared the L3 cache with the
GnuPG process (such as a different local user or a user of a KVM guest
running on the same host with the kernel same-page merging functionality
enabled) could possibly use this flaw to obtain portions of the RSA secret
key. (CVE-2013-4242)

http://rhn.redhat.com/errata/RHSA-2013-1457.html

https://abf.rosalinux.ru/build_lists/1391003
https://abf.rosalinux.ru/build_lists/1391004
Comment 1 Vladimir Potapov 2013-12-03 16:00:57 MSK
libgcrypt-1.4.5-11.res6
************************** RHEL Advisory ************************
It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload
cache side-channel attack on the RSA secret exponent. An attacker able to
execute a process on the logical CPU that shared the L3 cache with the
GnuPG process (such as a different local user or a user of a KVM guest
running on the same host with the kernel same-page merging functionality
enabled) could possibly use this flaw to obtain portions of the RSA secret
key. (CVE-2013-4242)
****************************************************************
QA Verified