Information Exposure Affecting libgcrypt20 package, versions <1.7.6-2+deb9u3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-LIBGCRYPT20-391880
- published 13 Jun 2018
- disclosed 13 Jun 2018
Introduced: 13 Jun 2018
CVE-2018-0495 Open this link in a new tabHow to fix?
Upgrade Debian:9
libgcrypt20
to version 1.7.6-2+deb9u3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20
package and not the libgcrypt20
package as distributed by Debian
.
See How to fix?
for Debian:9
relevant fixed versions and status.
Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
References
- ADVISORY
- CVE Details
- Debian Security Advisory
- Debian Security Announcement
- MISC
- MISC
- MISC
- MISC
- Oracle Security Advisory
- REDHAT
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- RHSA Security Advisory
- Security Tracker
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- Ubuntu Security Advisory
- security@debian.org