Arch Linux Security Advisory ASA-201707-1 ========================================= Severity: High Date : 2017-07-03 CVE-ID : CVE-2017-7526 Package : libgcrypt Type : private key recovery Remote : No Link : https://security.archlinux.org/AVG-338 Summary ======= The package libgcrypt before version 1.7.8-1 is vulnerable to private key recovery. Resolution ========== Upgrade to 1.7.8-1. # pacman -Syu "libgcrypt>=1.7.8-1" The problem has been fixed upstream in version 1.7.8. Workaround ========== None. Description =========== The pattern of squarings and multiplications in left-to-right sliding windows in libgcrypt <= 1.7.7 leaks significant information about exponent bits, allowing for the very efficient recovery of a full 1024-bit RSA key. Impact ====== A local attacker can use a side-channel attack to recover a secret private key. References ========== https://eprint.iacr.org/2017/627 https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=a9f612def801c8145d551d995475e5d51a4c988c;hp=0e6788517eac6f508fa32ec5d5c1cada7fb980bc https://security.archlinux.org/CVE-2017-7526