CVE-2015-0837
Published: 2 March 2015
The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gnupg Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.10-2ubuntu1.8)
|
| precise |
Released
(1.4.11-3ubuntu2.9)
|
|
| trusty |
Released
(1.4.16-1ubuntu2.3)
|
|
| upstream |
Released
(1.4.18-7)
|
|
| utopic |
Released
(1.4.16-1.2ubuntu1.2)
|
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=6cbc75e71295f23431c4ab95edc7573f2fc28476 |
||
|
libgcrypt11 Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.4-5ubuntu2.4)
|
| precise |
Released
(1.5.0-3ubuntu0.4)
|
|
| trusty |
Released
(1.5.3-2ubuntu4.2)
|
|
| upstream |
Needed
|
|
| utopic |
Released
(1.5.4-2ubuntu1.1)
|
|
|
libgcrypt20 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Does not exist
|
|
| trusty |
Released
(1.6.1-2ubuntu1.14.04.1)
|
|
| upstream |
Released
(1.6.3-2)
|
|
| utopic |
Released
(1.6.1-2ubuntu1.14.10.1)
|
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=deb6f231ba85f65283c9e1deb3e2dea3b6ca46dc upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d9f002899d26dc64f1502ae5050632340a4780fe upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5e72b6c76ebee720f69b8a5c212f52d38eb50287 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |