1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
PublicDateAtUSN: 2013-07-29
Candidate: CVE-2013-4242
PublicDate: 2013-08-19
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html
http://eprint.iacr.org/2013/448
http://www.ubuntu.com/usn/usn-1923-1
Description:
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and
possibly other products, allows local users to obtain private RSA keys via
a cache side-channel attack involving the L3 cache, aka Flush+Reload.
Ubuntu-Description:
Notes:
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717880
Priority: medium
Discovered-by: Yuval Yarom and Katrina Falkner
Assigned-to: sarnold
Patches_libgcrypt11:
vendor: http://www.debian.org/security/2013/dsa-2731
upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=287bf0e543f244d784cf8b58340bf0ab3c6aba97
upstream_libgcrypt11: released (1.5.3-1)
lucid_libgcrypt11: released (1.4.4-5ubuntu2.2)
precise_libgcrypt11: released (1.5.0-3ubuntu0.2)
quantal_libgcrypt11: released (1.5.0-3ubuntu1.1)
raring_libgcrypt11: released (1.5.0-3ubuntu2.2)
devel_libgcrypt11: released (1.5.0-3ubuntu3)
Patches_gnupg:
vendor: http://www.debian.org/security/2013/dsa-2730
upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=35646689f4b80955ff7dbe1687bf2c479c53421e
upstream_gnupg: released (1.4.14-1)
lucid_gnupg: released (1.4.10-2ubuntu1.3)
precise_gnupg: released (1.4.11-3ubuntu2.3)
quantal_gnupg: released (1.4.11-3ubuntu4.2)
raring_gnupg: released (1.4.12-7ubuntu1.1)
devel_gnupg: released (1.4.14-1ubuntu1)
|