CVE-2014-5270
Published: 18 August 2014
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Priority
Status
Package | Release | Status |
---|---|---|
gnupg Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.10-2ubuntu1.7)
|
precise |
Released
(1.4.11-3ubuntu2.7)
|
|
trusty |
Not vulnerable
(1.4.16-1ubuntu2.1)
|
|
upstream |
Released
(1.4.16-1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=cad8216f9a0b33c9dc84ecc4f385b00045e7b496 |
||
libgcrypt11 Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.4-5ubuntu2.3)
|
precise |
Released
(1.5.0-3ubuntu0.3)
|
|
trusty |
Released
(1.5.3-2ubuntu4.1)
|
|
upstream |
Released
(1.5.4-1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=6c3598f1f6a6f2548b60a31ce3c0dd9885558a4f upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=62e8e1283268f1d3b6d0cfb2fc4e7835bbcdaab6 |
||
libgcrypt20 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was not-affected [1.6.1-2ubuntu1])
|
|
upstream |
Released
(1.6.0-2)
|