CVE-2014-5270
Published: 18 August 2014
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Priority
Status
Package | Release | Status |
---|---|---|
libgcrypt20 Launchpad, Ubuntu, Debian |
upstream |
Released
(1.6.0-2)
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [1.6.1-2ubuntu1])
|
|
libgcrypt11 Launchpad, Ubuntu, Debian |
upstream |
Released
(1.5.4-1)
|
lucid |
Released
(1.4.4-5ubuntu2.3)
|
|
precise |
Released
(1.5.0-3ubuntu0.3)
|
|
trusty |
Released
(1.5.3-2ubuntu4.1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6c3598f1f6a6f2548b60a31ce3c0dd9885558a4f (bp) upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=62e8e1283268f1d3b6d0cfb2fc4e7835bbcdaab6 |
||
gnupg Launchpad, Ubuntu, Debian |
upstream |
Released
(1.4.16-1)
|
lucid |
Released
(1.4.10-2ubuntu1.7)
|
|
precise |
Released
(1.4.11-3ubuntu2.7)
|
|
trusty |
Not vulnerable
(1.4.16-1ubuntu2.1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=cad8216f9a0b33c9dc84ecc4f385b00045e7b496 |