libgcrypt-cavs-1.9.4-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10941-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libgcrypt-cavs-1.9.4-1.2 on GA media These are all security issues fixed in the libgcrypt-cavs-1.9.4-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10941 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-0379/ SUSE CVE CVE-2017-0379 page https://www.suse.com/security/cve/CVE-2017-7526/ SUSE CVE CVE-2017-7526 page https://www.suse.com/security/cve/CVE-2018-0495/ SUSE CVE CVE-2018-0495 page https://www.suse.com/security/cve/CVE-2019-12904/ SUSE CVE CVE-2019-12904 page https://www.suse.com/security/cve/CVE-2019-13627/ SUSE CVE CVE-2019-13627 page https://www.suse.com/security/cve/CVE-2021-3345/ SUSE CVE CVE-2021-3345 page https://www.suse.com/security/cve/CVE-2021-33560/ SUSE CVE CVE-2021-33560 page openSUSE Tumbleweed libgcrypt-cavs-1.9.4-1.2 libgcrypt-devel-1.9.4-1.2 libgcrypt-devel-32bit-1.9.4-1.2 libgcrypt20-1.9.4-1.2 libgcrypt20-32bit-1.9.4-1.2 libgcrypt20-hmac-1.9.4-1.2 libgcrypt20-hmac-32bit-1.9.4-1.2 libgcrypt-cavs-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt-devel-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt-devel-32bit-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt20-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt20-32bit-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt20-hmac-1.9.4-1.2 as a component of openSUSE Tumbleweed libgcrypt20-hmac-32bit-1.9.4-1.2 as a component of openSUSE Tumbleweed Libgcrypt before 1.8.1 does not properly consider Curve25519 side-channel attacks, which makes it easier for attackers to discover a secret key, related to cipher/ecc.c and mpi/ec.c. CVE-2017-0379 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 moderate 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-0379.html CVE-2017-0379 https://bugzilla.suse.com/1055837 SUSE Bug 1055837 libgcrypt before version 1.7.8 is vulnerable to a cache side-channel attack resulting into a complete break of RSA-1024 while using the left-to-right method for computing the sliding-window expansion. The same attack is believed to work on RSA-2048 with moderately more computation. This side-channel requires that attacker can run arbitrary software on the hardware where the private RSA key is used. CVE-2017-7526 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 low 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7526.html CVE-2017-7526 https://bugzilla.suse.com/1046607 SUSE Bug 1046607 https://bugzilla.suse.com/1047462 SUSE Bug 1047462 https://bugzilla.suse.com/1123792 SUSE Bug 1123792 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. CVE-2018-0495 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 moderate 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-0495.html CVE-2018-0495 https://bugzilla.suse.com/1097410 SUSE Bug 1097410 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 ** DISPUTED ** In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack. CVE-2019-12904 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-12904.html CVE-2019-12904 https://bugzilla.suse.com/1138939 SUSE Bug 1138939 It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. CVE-2019-13627 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 moderate 2.6 AV:L/AC:H/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13627.html CVE-2019-13627 https://bugzilla.suse.com/1148987 SUSE Bug 1148987 _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1 or later. CVE-2021-3345 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 moderate 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3345.html CVE-2021-3345 https://bugzilla.suse.com/1181632 SUSE Bug 1181632 Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. CVE-2021-33560 openSUSE Tumbleweed:libgcrypt-cavs-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt-devel-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-32bit-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-1.9.4-1.2 openSUSE Tumbleweed:libgcrypt20-hmac-32bit-1.9.4-1.2 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-33560.html CVE-2021-33560 https://bugzilla.suse.com/1187212 SUSE Bug 1187212 https://bugzilla.suse.com/1189854 SUSE Bug 1189854 https://bugzilla.suse.com/1199664 SUSE Bug 1199664