SB2019072815 - Cryptographic issues in libgcrypt (Alpine package)
Published: July 28, 2019
Security Bulletin ID
SB2019072815
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2019-12904)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=237b184ab920ac272b958d7e5cfab67112bd00b7
- https://git.alpinelinux.org/aports/commit/?id=589433af04a6580567db8bb9ac47d9d580184178
- https://git.alpinelinux.org/aports/commit/?id=5b4846da350aac758d8d91420167fd99e33bcdea
- https://git.alpinelinux.org/aports/commit/?id=92381611d07c877dd1469e1f2f6cf5dd45b11730
- https://git.alpinelinux.org/aports/commit/?id=f684a98ab9869cab9dcbc59ffef6134e4db1a03e