Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system.

For the oldstable distribution (squeeze), this problem has been fixed in version 1.4.5-2+squeeze1. For the stable distribution (wheezy), this problem has been fixed in version 1.5.0-5+deb7u1. For the testing distribution (jessie) and unstable distribution (sid), this problem has been fixed in version 1.5.3-1. We recommend that you upgrade your libgcrypt11 packages.

libgcrypt contains cryptographic functions. Many important free ciphers, hash algorithms and public key signing algorithms have been implemented: arcfour, blowfish, cast5, DSA, DSA2, des, 3DES, elgamal, MD5, rijndael, RMD160, RSA, SEED, SHA1, SHA-384, SHA-512, twofish, tiger.

libgcrypt11 on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2731.html

---

Updated on 2015-03-25