CVE-2013-4242
Published: 29 July 2013
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnupg Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.10-2ubuntu1.3)
|
| precise |
Released
(1.4.11-3ubuntu2.3)
|
|
| quantal |
Released
(1.4.11-3ubuntu4.2)
|
|
| raring |
Released
(1.4.12-7ubuntu1.1)
|
|
| upstream |
Released
(1.4.14-1)
|
|
|
Patches: vendor: http://www.debian.org/security/2013/dsa-2730 upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=35646689f4b80955ff7dbe1687bf2c479c53421e |
||
|
libgcrypt11 Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.4-5ubuntu2.2)
|
| precise |
Released
(1.5.0-3ubuntu0.2)
|
|
| quantal |
Released
(1.5.0-3ubuntu1.1)
|
|
| raring |
Released
(1.5.0-3ubuntu2.2)
|
|
| upstream |
Released
(1.5.3-1)
|
|
|
Patches: vendor: http://www.debian.org/security/2013/dsa-2731 upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=287bf0e543f244d784cf8b58340bf0ab3c6aba97 |
||
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242
- http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
- http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html
- http://eprint.iacr.org/2013/448
- https://ubuntu.com/security/notices/USN-1923-1
- NVD
- Launchpad
- Debian