[v2.3] libgcrypt CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack
Libgcrypt version 1.5.3.
This is a security fix release for the stable branch.
Libgcrypt is a general purpose library of cryptographic building
blocks. It is originally based on code used by GnuPG. It does not
provide any implementation of OpenPGP or other protocols. Thorough
understanding of applied cryptography is required to use Libgcrypt.
Noteworthy changes in version 1.5.3:
* Mitigate the Yarom/Falkner flush+reload side-channel attack on
RSA secret keys. See <http://eprint.iacr.org/2013/448>.
[ Note that Libgcrypt is used by GnuPG 2.x and thus this release
the above problem. The fix for GnuPG < 2.0 can be found in the just
released GnuPG 1.4.14. ]
Source code is hosted at the GnuPG FTP server and its mirrors as
listed at http://www.gnupg.org/download/mirrors.html . On the primary
server the source file and its digital signatures is:
This file is bzip2 compressed. A gzip compressed version is also
Alternativley you may upgrade version 1.5.2 using this patch file:
The SHA-1 checksums are:
(from redmine: issue id 2191, created on 2013-08-02, closed on 2013-08-06)
- parent #2187 (closed)
- Revision 6e323da5 by Natanael Copa on 2013-08-05T14:14:33Z:
main/libgcrypt: security upgrade to 1.5.3 (CVE-2013-4242) ref #2187 fixes #2191