openSUSE-SU-2017:1700-1

Опубликовано: 26 июн. 2017

Источник: suse-cvrf

Описание

Security update for libgcrypt

This update for libgcrypt fixes the following issues:

CVE-2017-9526: Store the session key in secure memory to ensure that constant time point operations are used in the MPI library. (bsc#1042326)
Don't require secure memory for the fips selftests, this prevents the 'Oops, secure memory pool already initialized' warning. (bsc#931932)

This update was imported from the SUSE:SLE-12:Update update project.

Список пакетов

openSUSE Leap 42.2

libgcrypt-1.6.1-34.3.1

libgcrypt-cavs-1.6.1-34.3.1

libgcrypt-devel-1.6.1-34.3.1

libgcrypt-devel-32bit-1.6.1-34.3.1

libgcrypt20-1.6.1-34.3.1

libgcrypt20-32bit-1.6.1-34.3.1

libgcrypt20-hmac-1.6.1-34.3.1

libgcrypt20-hmac-32bit-1.6.1-34.3.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2017-06/msg00104.html
E-Mail link for openSUSE-SU-2017:1700-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library.

Затронутые продукты

openSUSE Leap 42.2:libgcrypt-1.6.1-34.3.1

openSUSE Leap 42.2:libgcrypt-cavs-1.6.1-34.3.1

openSUSE Leap 42.2:libgcrypt-devel-1.6.1-34.3.1

openSUSE Leap 42.2:libgcrypt-devel-32bit-1.6.1-34.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2017-9526.html
CVE-2017-9526
https://bugzilla.suse.com/1042326
SUSE Bug 1042326
https://bugzilla.suse.com/1043777
SUSE Bug 1043777

openSUSE-SU-2017:1700-1

Описание

Список пакетов

openSUSE Leap 42.2

Ссылки

Уязвимость: CVE-2017-9526

Описание

Затронутые продукты

Ссылки