==========================================================================
Ubuntu Security Notice USN-3347-1
July 03, 2017
libgcrypt11, libgcrypt20 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 17.04
– Ubuntu 16.10
– Ubuntu 16.04 LTS
– Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in Libgcrypt.
Software Description:
– libgcrypt20: LGPL Crypto library
– libgcrypt11: LGPL Crypto library
Details:
Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot
Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal, and
Yuval Yarom discovered that Libgcrypt was susceptible to an attack via
side channels. A local attacker could use this attack to recover RSA
private keys. (CVE-2017-7526)
It was discovered that Libgcrypt was susceptible to an attack via
side channels. A local attacker could use this attack to possibly recover
EdDSA private keys. This issue only applied to Ubuntu 16.04 LTS, Ubuntu
16.10 and Ubuntu 17.04. (CVE-2017-9526)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.04:
libgcrypt20 1.7.6-1ubuntu0.1
Ubuntu 16.10:
libgcrypt20 1.7.2-2ubuntu1.1
Ubuntu 16.04 LTS:
libgcrypt20 1.6.5-2ubuntu0.3
Ubuntu 14.04 LTS:
libgcrypt11 1.5.3-2ubuntu4.5
In general, a standard system update will make all the necessary changes.
References:
https://www.ubuntu.com/usn/usn-3347-1
CVE-2017-7526, CVE-2017-9526
Package Information:
https://launchpad.net/ubuntu/+source/libgcrypt20/1.7.6-1ubuntu0.1
https://launchpad.net/ubuntu/+source/libgcrypt20/1.7.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/libgcrypt20/1.6.5-2ubuntu0.3
https://launchpad.net/ubuntu/+source/libgcrypt11/1.5.3-2ubuntu4.5
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2
iQIcBAEBCgAGBQJZWpROAAoJEGVp2FWnRL6TVakQAJqmz2zS4HAbf+d+yhceQvgV
Z5n4mZgZHHMQUmC8uFDULYpln7PWwRM7JjyO4QkgSgg1XiPFzE769/oDZMJUvH2c
XMKVrpI6jgsvAPt38dS9W2y8y/8vpWSsLI8UDT7UbNWX33nZUE+Zv14jtmEwo7gp
AWXTJ/JDyv0xamLwQy+hqGfBhzVmCz07gpr5Olh5ACP3LqTRPqfm0utO3KtvzRNV
klA/tEwFvFVuKAvWy6V9FXS3VDsItX5T9jfNVxKiN+d47EKqKHhmnWOFUMGOrlC8
mx4VkCtfSDZwwdHbUT3/v6pPXi3QM66r9uvK3rOrfWRePaV89AsMLio9GjkPwqod
ajVmE8T/wRH0hamMew9CxOqYx2GTpNcluzETKW1sZOVHJU6JiRQelDm/E+qjUBcH
oeKI51VzVcJPuKfbAr86CQWSVXkBN+/S+6lU19PKMT235mutKOIYI1t+YOOaEsJC
9o+HYO7+w5uIhHp19QnkzRalS3j8rlPx7NX82On00Pdhupwh60yIdYV4kviD8+uz
O0q56gh+wLXtSJJ9Xy8TuF2r1kWJicgur3k1WcqKldfeVvZ+x627DAVmotK4er9y
CoBtt6ubwJv6L6cyiSeb2n2cJTosusUQ8t+kvtsXywm0NLUN4Aqu/EQ6BUSKHY8r
ML3hPe6x1pqY/Gse47yn
=v7uR
—–END PGP SIGNATURE—–
—