libgcrypt-cavs-1.7.3-1.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10037 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libgcrypt-cavs-1.7.3-1.3 on GA media These are all security issues fixed in the libgcrypt-cavs-1.7.3-1.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10037 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10037 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-4242/ SUSE CVE CVE-2013-4242 page https://www.suse.com/security/cve/CVE-2014-3591/ SUSE CVE CVE-2014-3591 page https://www.suse.com/security/cve/CVE-2015-0837/ SUSE CVE CVE-2015-0837 page https://www.suse.com/security/cve/CVE-2015-5738/ SUSE CVE CVE-2015-5738 page https://www.suse.com/security/cve/CVE-2015-7511/ SUSE CVE CVE-2015-7511 page https://www.suse.com/security/cve/CVE-2016-6313/ SUSE CVE CVE-2016-6313 page openSUSE Tumbleweed libgcrypt-cavs-1.7.3-1.3 libgcrypt-devel-1.7.3-1.3 libgcrypt-devel-32bit-1.7.3-1.3 libgcrypt20-1.7.3-1.3 libgcrypt20-32bit-1.7.3-1.3 libgcrypt20-hmac-1.7.3-1.3 libgcrypt20-hmac-32bit-1.7.3-1.3 libgcrypt-cavs-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt-devel-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt-devel-32bit-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt20-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt20-32bit-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt20-hmac-1.7.3-1.3 as a component of openSUSE Tumbleweed libgcrypt20-hmac-32bit-1.7.3-1.3 as a component of openSUSE Tumbleweed GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. CVE-2013-4242 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4242.html CVE-2013-4242 https://bugzilla.suse.com/831359 SUSE Bug 831359 Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication. CVE-2014-3591 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate 4.3 AV:A/AC:H/Au:S/C:C/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3591.html CVE-2014-3591 https://bugzilla.suse.com/920057 SUSE Bug 920057 https://bugzilla.suse.com/949135 SUSE Bug 949135 The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack." CVE-2015-0837 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-0837.html CVE-2015-0837 https://bugzilla.suse.com/920057 SUSE Bug 920057 The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II CN6xxx Hardware on Linux to support TLS with Perfect Forward Secrecy (PFS), makes it easier for remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack. CVE-2015-5738 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5738.html CVE-2015-5738 https://bugzilla.suse.com/944456 SUSE Bug 944456 https://bugzilla.suse.com/944835 SUSE Bug 944835 https://bugzilla.suse.com/944836 SUSE Bug 944836 Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations. CVE-2015-7511 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7511.html CVE-2015-7511 https://bugzilla.suse.com/965902 SUSE Bug 965902 The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits. CVE-2016-6313 openSUSE Tumbleweed:libgcrypt-cavs-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-32bit-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-1.7.3-1.3 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.7.3-1.3 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6313.html CVE-2016-6313 https://bugzilla.suse.com/1123792 SUSE Bug 1123792 https://bugzilla.suse.com/994157 SUSE Bug 994157