[Trisquel-security] [USN-1923-1] GnuPG, Libgcrypt vulnerability

Seth Arnold seth.arnold at canonical.com
Thu Aug 1 03:48:37 CEST 2013


==========================================================================
Ubuntu Security Notice USN-1923-1
August 01, 2013

gnupg, libgcrypt11 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

GnuPG and Libgcrypt could be made to expose sensitive information.

Software Description:
- gnupg: GNU privacy guard - a free PGP replacement
- libgcrypt11: LGPL Crypto library - runtime library

Details:

Yuval Yarom and Katrina Falkner discovered a timing-based information leak,
known as Flush+Reload, that could be used to trace execution in programs.
GnuPG and Libgcrypt followed different execution paths based on key-related
data, which could be used to expose the contents of private keys.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
  gnupg                           1.4.12-7ubuntu1.1
  libgcrypt11                     1.5.0-3ubuntu2.2

Ubuntu 12.10:
  gnupg                           1.4.11-3ubuntu4.2
  libgcrypt11                     1.5.0-3ubuntu1.1

Ubuntu 12.04 LTS:
  gnupg                           1.4.11-3ubuntu2.3
  libgcrypt11                     1.5.0-3ubuntu0.2

Ubuntu 10.04 LTS:
  gnupg                           1.4.10-2ubuntu1.3
  libgcrypt11                     1.4.4-5ubuntu2.2

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-1923-1
  CVE-2013-4242

Package Information:
  https://launchpad.net/ubuntu/+source/gnupg/1.4.12-7ubuntu1.1
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3ubuntu2.2
  https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu4.2
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3ubuntu1.1
  https://launchpad.net/ubuntu/+source/gnupg/1.4.11-3ubuntu2.3
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.0-3ubuntu0.2
  https://launchpad.net/ubuntu/+source/gnupg/1.4.10-2ubuntu1.3
  https://launchpad.net/ubuntu/+source/libgcrypt11/1.4.4-5ubuntu2.2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://listas.trisquel.info/pipermail/trisquel-security/attachments/20130731/250e7a80/attachment.pgp>
-------------- next part --------------
-- 
ubuntu-security-announce mailing list
ubuntu-security-announce at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


More information about the Trisquel-security mailing list