Amazon Linux 1 Security Advisory: ALAS-2015-577
Advisory Release Date: 2015-08-04 17:43 Pacific
Advisory Updated Date: 2015-08-04 17:55 Pacific
Fix a side-channel attack on data-dependent timing variations in modular exponentiation, which can potentially lead to an information leak. (CVE-2015-0837)
Fix a side-channel attack which can potentially lead to an information leak. (CVE-2014-3591)
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576, which was fixed in ALAS-2014-278 (https://alas.aws.amazon.com/ALAS-2014-278.html). (CVE-2014-5270)
Affected Packages:
libgcrypt
Issue Correction:
Run yum update libgcrypt to update your system.
i686:
libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686
libgcrypt-devel-1.5.3-12.18.amzn1.i686
libgcrypt-1.5.3-12.18.amzn1.i686
src:
libgcrypt-1.5.3-12.18.amzn1.src
x86_64:
libgcrypt-devel-1.5.3-12.18.amzn1.x86_64
libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64
libgcrypt-1.5.3-12.18.amzn1.x86_64