ASA-201806-10 log original external raw

[ASA-201806-10] libgcrypt: private key recovery
Arch Linux Security Advisory ASA-201806-10 ========================================== Severity: High Date : 2018-06-16 CVE-ID : CVE-2018-0495 Package : libgcrypt Type : private key recovery Remote : No Link : Summary ======= The package libgcrypt before version 1.8.3-1 is vulnerable to private key recovery. Resolution ========== Upgrade to 1.8.3-1. # pacman -Syu "libgcrypt>=1.8.3-1" The problem has been fixed upstream in version 1.8.3. Workaround ========== None. Description =========== An implementation flaw has been discovered in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or DSA private keys. When these cryptographic libraries use the private key to create a signature, such as for a TLS or SSH connection, they inadvertently leak information through memory caches. An unprivileged attacker running on the same machine can collect the information from a few thousand signatures and recover the value of the private key. Impact ====== An unprivileged user might be able to retrieve private keys on the affected host. References ==========;a=commitdiff;h=9010d1576e278a4274ad3f4aa15776c28f6ba965;hp=7b6c2afd699e889f5f054cc3d202a61bd0ee1dcf