Mageia alert MGASA-2013-0239 (gnupg)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2013-0239: Updated gnupg package fixes
 security vulnerability 
Date:
    	     
 
Sat, 3 Aug 2013 10:45:07 +0200
Message-ID:
    	     
 
<20130803084508.0A53043B0F@valstar.mageia.org>
Archive-link:
    	     
 
Article, Thread
              
MGASA-2013-0239 - Updated gnupg package fixes security vulnerability

Publication date: 03 Aug 2013
URL: http://advisories.mageia.org/MGASA-2013-0239.html
Type: security
Affected Mageia releases: 2, 3
CVE: CVE-2013-4242

Description:
Yarom and Falkner discovered that RSA secret keys in applications
using GnuPG 1.x, and using the libgcrypt library, could be leaked via a
side channel attack, where a malicious local user could obtain private
key information from another user on the system (CVE-2013-4242).

References:
- https://bugs.mageia.org/show_bug.cgi?id=10850
- http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/00...
- http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/00...
- http://eprint.iacr.org/2013/448
- http://www.debian.org/security/2013/dsa-2730
- http://www.debian.org/security/2013/dsa-2731
- http://www.mandriva.com/en/support/security/advisories/ad...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242

SRPMS:
- 3/core/gnupg-1.4.14-1.mga3
- 3/core/libgcrypt-1.5.3-1.mga3
- 2/core/gnupg-1.4.12-1.2.mga2
- 2/core/libgcrypt-1.5.0-2.1.mga2