Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2015:154 | First vendor Publication | 2015-03-29 |
Vendor | Mandriva | Last vendor Modification | 2015-03-29 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Updated gnupg, gnupg2 and libgcrypt packages fix security vulnerabilities: GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service which can be caused by garbled compressed data packets which may put gpg into an infinite loop (CVE-2014-4617). The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270). GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591). GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak (CVE-2015-0837). The gnupg and gnupg2 package has been patched to correct these issues. GnuPG2 is vulnerable to these issues through the libgcrypt library. The issues were fixed in libgcrypt 1.6.3. The libgcrypt package in Mandriva, at version 1.5.4, was only vulnerable to the CVE-2014-3591 issue. It has also been patched to correct this issue. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:154 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-200 | Information Exposure |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:25075 | |||
Oval ID: | oval:org.mitre.oval:def:25075 | ||
Title: | USN-2258-1 -- gnupg, gnupg2 vulnerability | ||
Description: | GnuPG could be made to hang if it processed a specially crafted message. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2258-1 CVE-2014-4617 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 13.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25120 | |||
Oval ID: | oval:org.mitre.oval:def:25120 | ||
Title: | DSA-2968-1 gnupg2 - security update | ||
Description: | Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2968-1 CVE-2014-4617 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | gnupg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25133 | |||
Oval ID: | oval:org.mitre.oval:def:25133 | ||
Title: | DSA-2967-1 gnupg - security update | ||
Description: | Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2967-1 CVE-2014-4617 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25845 | |||
Oval ID: | oval:org.mitre.oval:def:25845 | ||
Title: | USN-2339-2 -- libgcrypt11 vulnerability | ||
Description: | Libgcrypt could expose sensitive information when performing decryption. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2339-2 CVE-2014-5270 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libgcrypt11 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26344 | |||
Oval ID: | oval:org.mitre.oval:def:26344 | ||
Title: | SUSE-SU-2014:0896-1 -- Security update for GPG2 | ||
Description: | GPG2 has been updated to fix a possible denial of service. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0896-1 CVE-2014-4617 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | GPG2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26547 | |||
Oval ID: | oval:org.mitre.oval:def:26547 | ||
Title: | SUSE-SU-2014:1077-1 -- Security update for libgcrypt | ||
Description: | This libgcrypt update fixes the following security issue: * bnc#892464: Side-channel attack on Elgamal encryption subkeys. (CVE-2014-5270) Security Issues: * CVE-2014-5270 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270> | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1077-1 CVE-2014-5270 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26710 | |||
Oval ID: | oval:org.mitre.oval:def:26710 | ||
Title: | DSA-3024-1 gnupg - security update | ||
Description: | Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3024-1 CVE-2014-5270 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26749 | |||
Oval ID: | oval:org.mitre.oval:def:26749 | ||
Title: | USN-2339-1 -- gnupg vulnerability | ||
Description: | GnuPG could expose sensitive information when performing decryption. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2339-1 CVE-2014-5270 | Version: | 3 |
Platform(s): | Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27968 | |||
Oval ID: | oval:org.mitre.oval:def:27968 | ||
Title: | DSA-3073-1 -- libgcrypt11 security update | ||
Description: | Daniel Genkin, Itamar Pipman and Eran Tromer discovered that Elgamal encryption subkeys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side-channel attack. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3073-1 CVE-2014-5270 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | libgcrypt11 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-05-16 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL21284031.nasl - Type : ACT_GATHER_INFO |
2015-08-05 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-577.nasl - Type : ACT_GATHER_INFO |
2015-04-02 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2554-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-154.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-93.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-51.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3073.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-379.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-378.nasl - Type : ACT_GATHER_INFO |
2014-09-23 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2014-180.nasl - Type : ACT_GATHER_INFO |
2014-09-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3024.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-176.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2339-1.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2339-2.nasl - Type : ACT_GATHER_INFO |
2014-09-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libgcrypt-devel-140819.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-10.nasl - Type : ACT_GATHER_INFO |
2014-07-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201407-04.nasl - Type : ACT_GATHER_INFO |
2014-07-15 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gpg2-140626.nasl - Type : ACT_GATHER_INFO |
2014-07-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-127.nasl - Type : ACT_GATHER_INFO |
2014-07-04 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-455.nasl - Type : ACT_GATHER_INFO |
2014-07-02 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7797.nasl - Type : ACT_GATHER_INFO |
2014-06-30 | Name : The remote Fedora host is missing a security update. File : fedora_2014-7796.nasl - Type : ACT_GATHER_INFO |
2014-06-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2968.nasl - Type : ACT_GATHER_INFO |
2014-06-27 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2258-1.nasl - Type : ACT_GATHER_INFO |
2014-06-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2967.nasl - Type : ACT_GATHER_INFO |
2014-06-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-175-02.nasl - Type : ACT_GATHER_INFO |
2014-06-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-175-03.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-03-31 13:29:45 |
|
2015-03-29 21:25:01 |
|