Opened 8 years ago

Closed 8 years ago

#8186 closed enhancement (fixed)

libgcrypt-1.7.3

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 7.10
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New minor version (an emergency release).

https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html 

The GnuPG Project is pleased to announce the availability of new
Libgcrypt and GnuPG versions to *fix a critical security problem*.

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of
Technology found a bug in the mixing functions of Libgcrypt's random
number generator: An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output.  This bug exists since
1998 in all GnuPG and Libgcrypt versions.


Impact
======
All Libgcrypt and GnuPG versions released before 2016-08-17 are affected
on all platforms.

A first analysis on the impact of this bug in GnuPG shows that existing
RSA keys are not weakened.  For DSA and Elgamal keys it is also unlikely
that the private key can be predicted from other public information.
This needs more research and I would suggest _not to_ overhasty revoke
keys.

http://www.openwall.com/lists/oss-security/2016/08/17/7

http://www.openwall.com/lists/oss-security/2016/08/17/8

Change History (2)

comment:1 by Douglas R. Reno, 8 years ago

Owner: changed from blfs-book@… to Douglas R. Reno
Status: newassigned

I'll knock this out in my next commit. Just finished updating evolution-data-server.

comment:2 by Douglas R. Reno, 8 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r17641.

Note: See TracTickets for help on using tickets.