Executive Summary

Informations
Name MDVSA-2015:154 First vendor Publication 2015-03-29
Vendor Mandriva Last vendor Modification 2015-03-29
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Updated gnupg, gnupg2 and libgcrypt packages fix security vulnerabilities:

GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service which can be caused by garbled compressed data packets which may put gpg into an infinite loop (CVE-2014-4617).

The libgcrypt library before version 1.5.4 is vulnerable to an ELGAMAL side-channel attack (CVE-2014-5270).

GnuPG before 1.4.19 is vulnerable to a side-channel attack which can potentially lead to an information leak (CVE-2014-3591).

GnuPG before 1.4.19 is vulnerable to a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak (CVE-2015-0837).

The gnupg and gnupg2 package has been patched to correct these issues.

GnuPG2 is vulnerable to these issues through the libgcrypt library. The issues were fixed in libgcrypt 1.6.3. The libgcrypt package in Mandriva, at version 1.5.4, was only vulnerable to the CVE-2014-3591 issue. It has also been patched to correct this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:154

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-200 Information Exposure
50 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:25075
 
Oval ID: oval:org.mitre.oval:def:25075
Title: USN-2258-1 -- gnupg, gnupg2 vulnerability
Description: GnuPG could be made to hang if it processed a specially crafted message.
Family: unix Class: patch
Reference(s): USN-2258-1
CVE-2014-4617
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): gnupg
gnupg2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25120
 
Oval ID: oval:org.mitre.oval:def:25120
Title: DSA-2968-1 gnupg2 - security update
Description: Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop.
Family: unix Class: patch
Reference(s): DSA-2968-1
CVE-2014-4617
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): gnupg2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25133
 
Oval ID: oval:org.mitre.oval:def:25133
Title: DSA-2967-1 gnupg - security update
Description: Jean-René Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount a denial of service against GnuPG by triggering an infinite loop.
Family: unix Class: patch
Reference(s): DSA-2967-1
CVE-2014-4617
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25845
 
Oval ID: oval:org.mitre.oval:def:25845
Title: USN-2339-2 -- libgcrypt11 vulnerability
Description: Libgcrypt could expose sensitive information when performing decryption.
Family: unix Class: patch
Reference(s): USN-2339-2
CVE-2014-5270
Version: 3
Platform(s): Ubuntu 14.04
Ubuntu 12.04
Ubuntu 10.04
Product(s): libgcrypt11
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26344
 
Oval ID: oval:org.mitre.oval:def:26344
Title: SUSE-SU-2014:0896-1 -- Security update for GPG2
Description: GPG2 has been updated to fix a possible denial of service.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0896-1
CVE-2014-4617
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): GPG2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26547
 
Oval ID: oval:org.mitre.oval:def:26547
Title: SUSE-SU-2014:1077-1 -- Security update for libgcrypt
Description: This libgcrypt update fixes the following security issue: * bnc#892464: Side-channel attack on Elgamal encryption subkeys. (CVE-2014-5270) Security Issues: * CVE-2014-5270 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5270>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1077-1
CVE-2014-5270
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): libgcrypt
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26710
 
Oval ID: oval:org.mitre.oval:def:26710
Title: DSA-3024-1 gnupg - security update
Description: Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>).
Family: unix Class: patch
Reference(s): DSA-3024-1
CVE-2014-5270
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26749
 
Oval ID: oval:org.mitre.oval:def:26749
Title: USN-2339-1 -- gnupg vulnerability
Description: GnuPG could expose sensitive information when performing decryption.
Family: unix Class: patch
Reference(s): USN-2339-1
CVE-2014-5270
Version: 3
Platform(s): Ubuntu 12.04
Ubuntu 10.04
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27968
 
Oval ID: oval:org.mitre.oval:def:27968
Title: DSA-3073-1 -- libgcrypt11 security update
Description: Daniel Genkin, Itamar Pipman and Eran Tromer discovered that Elgamal encryption subkeys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side-channel attack.
Family: unix Class: patch
Reference(s): DSA-3073-1
CVE-2014-5270
Version: 3
Platform(s): Debian GNU/Linux 7.0
Debian GNU/kFreeBSD 7.0
Product(s): libgcrypt11
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 95
Application 9
Os 1
Os 2

Nessus® Vulnerability Scanner

Date Description
2017-05-16 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL21284031.nasl - Type : ACT_GATHER_INFO
2015-08-05 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-577.nasl - Type : ACT_GATHER_INFO
2015-04-02 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2554-1.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-154.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-93.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-51.nasl - Type : ACT_GATHER_INFO
2014-11-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3073.nasl - Type : ACT_GATHER_INFO
2014-10-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-379.nasl - Type : ACT_GATHER_INFO
2014-10-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-378.nasl - Type : ACT_GATHER_INFO
2014-09-23 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2014-180.nasl - Type : ACT_GATHER_INFO
2014-09-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3024.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-176.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2339-1.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2339-2.nasl - Type : ACT_GATHER_INFO
2014-09-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libgcrypt-devel-140819.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201408-10.nasl - Type : ACT_GATHER_INFO
2014-07-17 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201407-04.nasl - Type : ACT_GATHER_INFO
2014-07-15 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gpg2-140626.nasl - Type : ACT_GATHER_INFO
2014-07-10 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-127.nasl - Type : ACT_GATHER_INFO
2014-07-04 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-455.nasl - Type : ACT_GATHER_INFO
2014-07-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-7797.nasl - Type : ACT_GATHER_INFO
2014-06-30 Name : The remote Fedora host is missing a security update.
File : fedora_2014-7796.nasl - Type : ACT_GATHER_INFO
2014-06-28 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2968.nasl - Type : ACT_GATHER_INFO
2014-06-27 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2258-1.nasl - Type : ACT_GATHER_INFO
2014-06-26 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2967.nasl - Type : ACT_GATHER_INFO
2014-06-25 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-175-02.nasl - Type : ACT_GATHER_INFO
2014-06-25 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-175-03.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2015-03-31 13:29:45
  • Multiple Updates
2015-03-29 21:25:01
  • First insertion