Your submission was sent successfully! Close

USN-1923-1: GnuPG, Libgcrypt vulnerability

1 August 2013

GnuPG and Libgcrypt could be made to expose sensitive information.

Releases

Packages

  • gnupg - GNU privacy guard - a free PGP replacement
  • libgcrypt11 - LGPL Crypto library - runtime library

Details

Yuval Yarom and Katrina Falkner discovered a timing-based information leak,
known as Flush+Reload, that could be used to trace execution in programs.
GnuPG and Libgcrypt followed different execution paths based on key-related
data, which could be used to expose the contents of private keys.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.

References