Your submission was sent successfully! Close

CVE-2018-0495

Published: 13 June 2018

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Priority

Low

CVSS 3 base score: 4.7

Status

Package Release Status
libgcrypt11
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

precise
Released (1.5.0-3ubuntu0.8)
trusty
Released (1.5.3-2ubuntu4.6)
upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist

libgcrypt20
Launchpad, Ubuntu, Debian
artful
Released (1.7.8-2ubuntu1.1)
bionic
Released (1.8.1-4ubuntu1.1)
cosmic
Released (1.8.3-1ubuntu1)
disco
Released (1.8.3-1ubuntu1)
precise Does not exist

trusty Does not exist
(trusty was needed)
upstream
Released (1.7.10,1.8.3)
xenial
Released (1.6.5-2ubuntu0.5)
Patches:
upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965



nss
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic
Released (2:3.35-2ubuntu2.1)
cosmic
Released (2:3.36.1-1ubuntu1.1)
disco Not vulnerable
(2:3.39-1ubuntu1)
precise
Released (2:3.28.4-0ubuntu0.12.04.2)
trusty
Released (2:3.28.4-0ubuntu0.14.04.4)
upstream
Released (3.38)
xenial
Released (2:3.28.4-0ubuntu0.16.04.4)
Patches:

upstream: https://hg.mozilla.org/projects/nss/rev/ca18ca4ba00d


openssl
Launchpad, Ubuntu, Debian
artful
Released (1.0.2g-1ubuntu13.6)
bionic
Released (1.1.0g-2ubuntu4.1)
cosmic
Released (1.1.0g-2ubuntu5)
disco
Released (1.1.0g-2ubuntu5)
precise
Released (1.0.1-4ubuntu5.43)
trusty
Released (1.0.1f-1ubuntu2.26)
upstream Needs triage

xenial
Released (1.0.2g-1ubuntu4.13)
Patches:


upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=949ff36623eafc3523a9f91784992965018ffb05 (1.0.2)
upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=0c27d793745c7837b13646302b6890a556b7017a (1.1)
openssl098
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Does not exist

trusty Does not exist
(trusty was needs-triage)
upstream Needs triage

xenial Does not exist

openssl1.0
Launchpad, Ubuntu, Debian
artful Does not exist

bionic
Released (1.0.2n-1ubuntu5.1)
cosmic
Released (1.0.2n-1ubuntu6)
disco Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist