CVE-2016-6313
Published: 17 August 2016
The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
Notes
Author | Note |
---|---|
mdeslaur | CVE number in announcement is wrong |
Priority
Status
Package | Release | Status |
---|---|---|
gnupg Launchpad, Ubuntu, Debian |
zesty |
Does not exist
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Released
(1.4.11-3ubuntu2.10)
|
|
trusty |
Released
(1.4.16-1ubuntu2.4)
|
|
upstream |
Released
(1.4.21)
|
|
xenial |
Released
(1.4.20-1ubuntu3.1)
|
|
yakkety |
Does not exist
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e23eec8c9a602eee0a09851a54db0f5d611f125c upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c6dbfe89903d0c8191cf50ecf1abb3c8458b427a |
||
gnupg2 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(uses system libgcrypt)
|
bionic |
Not vulnerable
(uses system libgcrypt)
|
|
cosmic |
Not vulnerable
(uses system libgcrypt)
|
|
disco |
Not vulnerable
(uses system libgcrypt)
|
|
trusty |
Does not exist
(trusty was not-affected [uses system libgcrypt])
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(uses system libgcrypt)
|
|
yakkety |
Not vulnerable
(uses system libgcrypt)
|
|
zesty |
Not vulnerable
(uses system libgcrypt)
|
|
precise |
Not vulnerable
(uses system libgcrypt)
|
|
libgcrypt11 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Released
(1.5.0-3ubuntu0.6)
|
|
trusty |
Released
(1.5.3-2ubuntu4.4)
|
|
upstream |
Released
(1.5.6)
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=98980e2fd29ad62903c78fa6521489fce651cdda upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6199cd963d1fba86e0b7b9e2de4b6c00b945193a |
||
libgcrypt20 Launchpad, Ubuntu, Debian |
artful |
Released
(1.7.2-2ubuntu1)
|
bionic |
Released
(1.7.2-2ubuntu1)
|
|
cosmic |
Released
(1.7.2-2ubuntu1)
|
|
disco |
Released
(1.7.2-2ubuntu1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(1.6.6,1.7.3)
|
|
xenial |
Released
(1.6.5-2ubuntu0.2)
|
|
yakkety |
Released
(1.7.2-2ubuntu1)
|
|
zesty |
Released
(1.7.2-2ubuntu1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (1.7) upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8dd45ad957b54b939c288a68720137386c7f6501 (1.7) upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=190b0429b70eb4a3573377e95755d9cc13c38461 (1.6) upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=c748f87436d693f092a4484571a3cc7f650b5c81 (1.6) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |