CVE-2019-13627
Published: 25 September 2019
It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
Priority
Medium
CVSS 3 base score: 6.3
Status
| Package | Release | Status |
|---|---|---|
|
libgcrypt11 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(1.5.3-2ubuntu4.6+esm1)
|
|
|
libgcrypt20 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.8.5-1)
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(1.8.1-4ubuntu1.2)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(1.6.5-2ubuntu0.6)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master) Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master) Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 (1.8.5) Upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5) |
||
Notes
| Author | Note |
|---|---|
| leosilva | patch breaks dsa-rfc6979.c tests in Xenial. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13627
- https://ubuntu.com/security/notices/USN-4236-1
- https://ubuntu.com/security/notices/USN-4236-2
- https://ubuntu.com/security/notices/USN-4236-3
- NVD
- Launchpad
- Debian