Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2018-0495

Published: 13 June 2018

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Priority

Low

Cvss 3 Severity Score

4.7

Score breakdown

Status

Package Release Status
libgcrypt11
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

trusty
Released (1.5.3-2ubuntu4.6)
upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist

nss
Launchpad, Ubuntu, Debian
artful Ignored
(end of life)
bionic
Released (2:3.35-2ubuntu2.1)
cosmic
Released (2:3.36.1-1ubuntu1.1)
disco Not vulnerable
(2:3.39-1ubuntu1)
trusty
Released (2:3.28.4-0ubuntu0.14.04.4)
upstream
Released (3.38)
xenial
Released (2:3.28.4-0ubuntu0.16.04.4)
Patches:

upstream: https://hg.mozilla.org/projects/nss/rev/ca18ca4ba00d


openssl098
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

artful Does not exist

trusty Does not exist
(trusty was needs-triage)
upstream Needs triage

xenial Does not exist

libgcrypt20
Launchpad, Ubuntu, Debian
artful
Released (1.7.8-2ubuntu1.1)
bionic
Released (1.8.1-4ubuntu1.1)
cosmic
Released (1.8.3-1ubuntu1)
disco
Released (1.8.3-1ubuntu1)
trusty Does not exist
(trusty was needed)
upstream
Released (1.7.10,1.8.3)
xenial
Released (1.6.5-2ubuntu0.5)
Patches:
upstream: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965



openssl
Launchpad, Ubuntu, Debian
artful
Released (1.0.2g-1ubuntu13.6)
bionic
Released (1.1.0g-2ubuntu4.1)
cosmic
Released (1.1.0g-2ubuntu5)
disco
Released (1.1.0g-2ubuntu5)
trusty
Released (1.0.1f-1ubuntu2.26)
upstream Needs triage

xenial
Released (1.0.2g-1ubuntu4.13)
Patches:


upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=949ff36623eafc3523a9f91784992965018ffb05 (1.0.2)
upstream: https://git.openssl.org/?p=openssl.git;a=commit;h=0c27d793745c7837b13646302b6890a556b7017a (1.1)
openssl1.0
Launchpad, Ubuntu, Debian
artful Does not exist

bionic
Released (1.0.2n-1ubuntu5.1)
cosmic
Released (1.0.2n-1ubuntu6)
disco Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 4.7
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N