CVE-2019-13627

Published: 25 September 2019

It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.

Notes

Author	Note
leosilva	patch breaks dsa-rfc6979.c tests in Xenial.

Priority

CVSS 3 base score: 6.3

Status

Package	Release	Status
libgcrypt11 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	precise	Released (1.5.0-3ubuntu0.9)
	trusty	Released (1.5.3-2ubuntu4.6+esm1)
	upstream	Needs triage
	xenial	Does not exist
libgcrypt20 Launchpad, Ubuntu, Debian	bionic	Released (1.8.1-4ubuntu1.2)
	disco	Released (1.8.4-3ubuntu1.1)
	eoan	Released (1.8.4-5ubuntu2.1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (1.8.5-1)
	xenial	Released (1.6.5-2ubuntu0.6)
	Patches: upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master) upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master) upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d5407b78cca9f9d318a4f4d2f6ba2b8388584cd9 (1.8.5) upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=db4e9976cc31b314aafad6626b2894e86ee44d60 (1.8.5)

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938938

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›