Moderate CentOS libgcrypt Update

Metadata

low
1.9
libgcrypt-1.4.4-7.el5_10.i386.rpm, libgcrypt-1.4.4-7.el5_10.src.rpm, libgcrypt-1.4.4-7.el5_10.x86_64.rpm, libgcrypt-1.4.5-11.el6_4.i686.rpm, libgcrypt-1.4.5-11.el6_4.src.rpm, libgcrypt-1.4.5-11.el6_4.x86_64.rpm, libgcrypt-devel-1.4.4-7.el5_10.i386.rpm, libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm, libgcrypt-devel-1.4.5-11.el6_4.i686.rpm, libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm
CVE-2013-4242
rhn.redhat.com, lists.centos.org, lists.centos.org
2013-11-24
2017-07-27 19:06
ALAS-2013-225
ALAS-2013-226
Moderate CentOS gnupg Update
CVE-2013-4242 gnupg
CVE-2013-4242 libgcrypt11
CVE-2013-4242
2017-04-01 19:07
2017-01-05 20:11

Description


An updated libgcrypt package that fixes one security issue is now available
for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The libgcrypt library provides general-purpose implementations of various
cryptographic algorithms.

It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload
cache side-channel attack on the RSA secret exponent. An attacker able to
execute a process on the logical CPU that shared the L3 cache with the
GnuPG process (such as a different local user or a user of a KVM guest
running on the same host with the kernel same-page merging functionality
enabled) could possibly use this flaw to obtain portions of the RSA secret
key. (CVE-2013-4242)

All libgcrypt users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.
Please see https://www.redhat.com/footer/terms-of-use.html

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
5 libgcrypt libgcrypt-1.4.4-7.el5_10.i386.rpm
libgcrypt libgcrypt-1.4.4-7.el5_10.src.rpm
libgcrypt libgcrypt-1.4.4-7.el5_10.x86_64.rpm
libgcrypt-devel libgcrypt-devel-1.4.4-7.el5_10.i386.rpm
libgcrypt-devel libgcrypt-devel-1.4.4-7.el5_10.x86_64.rpm
6 libgcrypt libgcrypt-1.4.5-11.el6_4.i686.rpm
libgcrypt libgcrypt-1.4.5-11.el6_4.src.rpm
libgcrypt libgcrypt-1.4.5-11.el6_4.x86_64.rpm
libgcrypt-devel libgcrypt-devel-1.4.5-11.el6_4.i686.rpm
libgcrypt-devel libgcrypt-devel-1.4.5-11.el6_4.x86_64.rpm