Mageia alert MGASA-2016-0072 (libgcrypt)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2016-0072: Updated libgcrypt packages fix security vulnerabilities 
Date:
    	     
 
Wed, 17 Feb 2016 20:06:40 +0100
Message-ID:
    	     
 
<20160217190640.514B19F658@duvel.mageia.org>
MGASA-2016-0072 - Updated libgcrypt packages fix security vulnerabilities

Publication date: 17 Feb 2016
URL: http://advisories.mageia.org/MGASA-2016-0072.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2015-7511

Description:
Updated libgcrypt packages fix security vulnerability:

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered that
the ECDH secret decryption keys in applications using the libgcrypt20 library
could be leaked via a side-channel attack (CVE-2015-7511).

The libgcrypt package was also updated to include countermeasures against
Lenstra's fault attack on RSA Chinese Remainder Theorem optimization in RSA.
A signature verification step was updated to protect against leaks of private
keys in case of hardware faults or implementation errors in numeric
libraries.  This issue is equivalent to the CVE-2015-5738 issue in gnupg.

References:
- https://bugs.mageia.org/show_bug.cgi?id=17742
- http://lists.opensuse.org/opensuse-updates/2015-09/msg000...
- https://www.debian.org/security/2016/dsa-3474
- https://bugs.mageia.org/show_bug.cgi?id=16806
- https://bugs.mageia.org/show_bug.cgi?id=17742
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7511

SRPMS:
- 5/core/libgcrypt-1.5.4-5.2.mga5