It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Ubuntu_linux | Canonical | 12.04 (including) | 12.04 (including) |
Ubuntu_linux | Canonical | 14.04 (including) | 14.04 (including) |
Ubuntu_linux | Canonical | 16.04 (including) | 16.04 (including) |
Ubuntu_linux | Canonical | 18.04 (including) | 18.04 (including) |
Ubuntu_linux | Canonical | 19.04 (including) | 19.04 (including) |
Ubuntu_linux | Canonical | 19.10 (including) | 19.10 (including) |
Leap | Opensuse | 15.0 (including) | 15.0 (including) |
Leap | Opensuse | 15.1 (including) | 15.1 (including) |
Red Hat Enterprise Linux 8 | RedHat | libgcrypt-0:1.8.5-4.el8 | * |
Libgcrypt11 | Ubuntu | esm-infra-legacy/trusty | * |
Libgcrypt11 | Ubuntu | trusty | * |
Libgcrypt11 | Ubuntu | trusty/esm | * |
Libgcrypt20 | Ubuntu | bionic | * |
Libgcrypt20 | Ubuntu | devel | * |
Libgcrypt20 | Ubuntu | disco | * |
Libgcrypt20 | Ubuntu | eoan | * |
Libgcrypt20 | Ubuntu | esm-infra/bionic | * |
Libgcrypt20 | Ubuntu | esm-infra/xenial | * |
Libgcrypt20 | Ubuntu | trusty | * |
Libgcrypt20 | Ubuntu | upstream | * |
Libgcrypt20 | Ubuntu | xenial | * |