Executive Summary

Summary
Title gnupg security update
Informations
Name DSA-3024 First vendor Publication 2014-09-11
Vendor Debian Last vendor Modification 2014-09-11
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (CVE-2014-5270).

In addition, this update hardens GnuPG's behaviour when treating keyserver responses; GnuPG now filters keyserver responses to only accepts those keyid's actually requested by the user.

For the stable distribution (wheezy), this problem has been fixed in version 1.4.12-7+deb7u6.

For the testing (jessie) and unstable distribution (sid), this problem has been fixed in version 1.4.18-4.

We recommend that you upgrade your gnupg packages.

Original Source

Url : http://www.debian.org/security/2014/dsa-3024

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:25845
 
Oval ID: oval:org.mitre.oval:def:25845
Title: USN-2339-2 -- libgcrypt11 vulnerability
Description: Libgcrypt could expose sensitive information when performing decryption.
Family: unix Class: patch
Reference(s): USN-2339-2
CVE-2014-5270
 Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
 Product(s): libgcrypt11
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26547
 
Oval ID: oval:org.mitre.oval:def:26547
Title: SUSE-SU-2014:1077-1 -- Security update for libgcrypt
Description: This libgcrypt update fixes the following security issue: * bnc#892464: Side-channel attack on Elgamal encryption subkeys. (CVE-2014-5270) Security Issues: * CVE-2014-5270 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1077-1
CVE-2014-5270
 Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
 Product(s): libgcrypt
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26710
 
Oval ID: oval:org.mitre.oval:def:26710
Title: DSA-3024-1 gnupg - security update
Description: Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>).
Family: unix Class: patch
Reference(s): DSA-3024-1
CVE-2014-5270
 Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
 Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26749
 
Oval ID: oval:org.mitre.oval:def:26749
Title: USN-2339-1 -- gnupg vulnerability
Description: GnuPG could expose sensitive information when performing decryption.
Family: unix Class: patch
Reference(s): USN-2339-1
CVE-2014-5270
 Version: 3
Platform(s): Ubuntu 12.04
Ubuntu 10.04
 Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27968
 
Oval ID: oval:org.mitre.oval:def:27968
Title: DSA-3073-1 -- libgcrypt11 security update
Description: Daniel Genkin, Itamar Pipman and Eran Tromer discovered that Elgamal encryption subkeys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side-channel attack.
Family: unix Class: patch
Reference(s): DSA-3073-1
CVE-2014-5270
 Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
 Product(s): libgcrypt11
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 9
Os 1

Nessus® Vulnerability Scanner

Date Description
2015-08-05 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-577.nasl - Type : ACT_GATHER_INFO
2015-04-02 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2554-1.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-154.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-93.nasl - Type : ACT_GATHER_INFO
2014-11-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3073.nasl - Type : ACT_GATHER_INFO
2014-09-23 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2014-180.nasl - Type : ACT_GATHER_INFO
2014-09-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3024.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-176.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2339-1.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2339-2.nasl - Type : ACT_GATHER_INFO
2014-09-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libgcrypt-devel-140819.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201408-10.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-10-11 00:26:57
  • Multiple Updates
2014-10-10 09:28:30
  • Multiple Updates
2014-09-14 13:26:43
  • Multiple Updates
2014-09-12 00:22:24
  • First insertion