[SECURITY] [DLA 602-1] gnupg security and hardening update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

 

Package : gnupg

Version : 1.4.12-7+deb7u8

CVE ID : CVE-2016-6313

Debian Bug : 834893

 

 

CVE-2016-6313

 

Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of

Technology discovered a flaw in the mixing functions of GnuPG's

random number generator. An attacker who obtains 4640 bits from the RNG

can trivially predict the next 160 bits of output.

 

A first analysis on the impact of this bug for GnuPG shows that

existing RSA keys are not weakened. For DSA and Elgamal keys it is also

unlikely that the private key can be predicted from other public

information.

 

Bypassing GnuPG key checking:

 

Weaknesses have been found in GnuPG signature validation that

attackers could exploit thanks to especially forged public keys and

under specific hardware-software conditions. While the underlying

problem cannot be solved only by software, GnuPG has been

strengthened, avoiding to rely on keyring signature caches when

verifying keys. Potential specific attacks are not valid any more

with the patch of GnuPG

 

 

Bypassing GnuPG key checking:

 

Vrije Universiteit Amsterdam and Katholieke Universteit Leuven

researchers discovered an attack method, known as Flip Feng Shui,

that concerns flaws in GnuPG. Researchers found that under specific

hardware-software conditions, attackers could bypass the GnuPG

signature validation by using forged public keys. While the

underlying problem cannot be solved only by software, GnuPG has been

made more robust to avoid relying on keyring signature caches when

verifying keys.

 

 

For Debian 7 "Wheezy", these issues have been addressed in version

1.4.12-7+deb7u8.

 

We recommend that you upgrade your gnupg packages.

 

Further information about Debian LTS security advisories, how to apply

these updates to your system and frequently asked questions can be

found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.12 (GNU/Linux)

 

iQIcBAEBCAAGBQJXxJpQAAoJEF6Q3PqUJodvlj8P/0Zr1mgqt3dSLl9UMDziu/ui

sIuiZjI06MD4A9hH80GP84T4dRGFn8TO9JsvPzuQoNVBcvXJbG1KPa+L7To/HJzl

ip3mFDn8xihgs6NMh0tSD+NZFcfM2v17LFa2y4OhTmkCW9JGOYuP1n6TCp0pi6kF

yhGw8DrA0tjiebkmeDWa3sWUqeiqV/U8nRP9yCLI2Ym5sHE7OOI9W3Hi5Ifr8f17

bs8N4fxqWWM/EOaERECWnbcVEEde9DhWaqRWIvYYCLTJFKLRayFro0CJZiEwjI3/

pkaWWbyV3pYkwTqqc39jbbLbY2dGR+A3t5vRhzgMniCtwQZIPqj/ZhOK3u2KN/Sp

j2ONWBRDMyc6gGkA7TugwJKWzV1mv7D+F8ZBAiqT1Uyd4eYL8/jDOZQheqsoE5KR

wdiyXNoHd5ZqlEo5EBDBZ1r4Vi6EzJFBvaZ0Bsk13hC/qLtBtUzmcD3OrZmxKenp

aBLAXo9G5xD0k4HgXs7LXNzb5UIIBsBwAxvwCVUHhuFVQheemy7kX/QfMgKnUkNK

QidPT8bhwoibMIkLEn7xlYaRGXskU4FsCr7VVdR+FCBzRzZTika1WB9Q3Q7ZaOAT

Qjedp0z8yk8JkUqxbaVnU1VsyoMUJB6llGumxDEVhv7t7P/fWWRrf/SGvKTs4Ksk

rH+c9thjjiHXwV2/NEid

=vIdw

-----END PGP SIGNATURE-----