Описание
Security update for libgcrypt
This update for libgcrypt fixes the following issues:
-
CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326)
-
Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932)
Список пакетов
SUSE Linux Enterprise Desktop 12 SP2
libgcrypt20-1.6.1-16.39.1
libgcrypt20-32bit-1.6.1-16.39.1
SUSE Linux Enterprise Server 12 SP2
libgcrypt20-1.6.1-16.39.1
libgcrypt20-32bit-1.6.1-16.39.1
libgcrypt20-hmac-1.6.1-16.39.1
libgcrypt20-hmac-32bit-1.6.1-16.39.1
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
libgcrypt20-1.6.1-16.39.1
libgcrypt20-hmac-1.6.1-16.39.1
SUSE Linux Enterprise Server for SAP Applications 12 SP2
libgcrypt20-1.6.1-16.39.1
libgcrypt20-32bit-1.6.1-16.39.1
libgcrypt20-hmac-1.6.1-16.39.1
libgcrypt20-hmac-32bit-1.6.1-16.39.1
SUSE Linux Enterprise Software Development Kit 12 SP2
libgcrypt-devel-1.6.1-16.39.1
Ссылки
- Link for SUSE-SU-2017:1608-1
- E-Mail link for SUSE-SU-2017:1608-1
- SUSE Security Ratings
- SUSE Bug 1042326
- SUSE Bug 931932
- SUSE CVE CVE-2017-9526 page
Описание
In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP2:libgcrypt20-1.6.1-16.39.1
SUSE Linux Enterprise Desktop 12 SP2:libgcrypt20-32bit-1.6.1-16.39.1
SUSE Linux Enterprise Server 12 SP2:libgcrypt20-1.6.1-16.39.1
SUSE Linux Enterprise Server 12 SP2:libgcrypt20-32bit-1.6.1-16.39.1
Ссылки
- CVE-2017-9526
- SUSE Bug 1042326
- SUSE Bug 1043777