CVE-2016-6313

Published: 17 August 2016

The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.

Priority

High

CVSS 3 base score: 5.3

Status

Package Release Status
gnupg
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.21)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.4.20-1ubuntu3.1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.4.16-1ubuntu2.4)
Patches:
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=e23eec8c9a602eee0a09851a54db0f5d611f125c
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=c6dbfe89903d0c8191cf50ecf1abb3c8458b427a
gnupg2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libgcrypt)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(uses system libgcrypt)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system libgcrypt])
libgcrypt11
Launchpad, Ubuntu, Debian
Upstream
Released (1.5.6)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.5.3-2ubuntu4.4)
Patches:
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=98980e2fd29ad62903c78fa6521489fce651cdda
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6199cd963d1fba86e0b7b9e2de4b6c00b945193a
libgcrypt20
Launchpad, Ubuntu, Debian
Upstream
Released (1.6.6,1.7.3)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.7.2-2ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.6.5-2ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=2f62103b4bb6d6f9ce806e01afb7fdc58aa33513 (1.7)
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=8dd45ad957b54b939c288a68720137386c7f6501 (1.7)
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=190b0429b70eb4a3573377e95755d9cc13c38461 (1.6)
Upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=c748f87436d693f092a4484571a3cc7f650b5c81 (1.6)