openSUSE Security Update : libgcrypt (openSUSE-SU-2013:1294-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

libgcrypt was updated to 1.5.3 [bnc#831359] to fix a security issue,
bugs and get some new features :

Security issue fixed :

- Mitigate the Yarom/Falkner flush+reload side-channel
attack on RSA secret keys. See
<http://eprint.iacr.org/2013/448>.

- contains changes from 1.5.2

- The upstream sources now contain the IDEA algorithm,
dropping: idea.c.gz libgcrypt-1.5.0-idea.patch
libgcrypt-1.5.0-idea_codecleanup.patch

- Made the Padlock code work again (regression since
1.5.0).

- Fixed alignment problems for Serpent.

- Fixed two bugs in ECC computations.

- add GPL3.0+ to License tag because of dumpsexp
(bnc#810759)

- contains changes from 1.5.1

- Allow empty passphrase with PBKDF2.

- Do not abort on an invalid algorithm number in
gcry_cipher_get_algo_keylen and
gcry_cipher_get_algo_blklen.

- Fixed some Valgrind warnings.

- Fixed a problem with select and high fd numbers.

- Improved the build system

- Various minor bug fixes.

- Interface changes relative to the 1.5.0 release:
GCRYCTL_SET_ENFORCED_FIPS_FLAG NEW.
GCRYPT_VERSION_NUMBER NEW.

See also :

http://eprint.iacr.org/2013/448
http://lists.opensuse.org/opensuse-updates/2013-08/msg00003.html
https://bugzilla.novell.com/show_bug.cgi?id=810759
https://bugzilla.novell.com/show_bug.cgi?id=831359

Solution :

Update the affected libgcrypt packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: SuSE Local Security Checks

Nessus Plugin ID: 75105 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now