Security update for libgcrypt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0919-1 Final 1 1 2021-06-25T06:14:59Z current 2021-06-25T06:14:59Z 2021-06-25T06:14:59Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libgcrypt This update for libgcrypt fixes the following issues: - CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212). This update was imported from the SUSE:SLE-15-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-919 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PPALT4SBPXXPFJVTZN5FQCXMNVH4GXCU/ E-Mail link for openSUSE-SU-2021:0919-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1187212 SUSE Bug 1187212 https://www.suse.com/security/cve/CVE-2021-33560/ SUSE CVE CVE-2021-33560 page openSUSE Leap 15.2 libgcrypt-cavs-1.8.2-lp152.17.3.1 libgcrypt-devel-1.8.2-lp152.17.3.1 libgcrypt-devel-32bit-1.8.2-lp152.17.3.1 libgcrypt20-1.8.2-lp152.17.3.1 libgcrypt20-32bit-1.8.2-lp152.17.3.1 libgcrypt20-hmac-1.8.2-lp152.17.3.1 libgcrypt20-hmac-32bit-1.8.2-lp152.17.3.1 libgcrypt-cavs-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt-devel-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt-devel-32bit-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt20-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt20-32bit-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt20-hmac-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 libgcrypt20-hmac-32bit-1.8.2-lp152.17.3.1 as a component of openSUSE Leap 15.2 Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. CVE-2021-33560 openSUSE Leap 15.2:libgcrypt-cavs-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt-devel-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt-devel-32bit-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt20-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt20-32bit-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt20-hmac-1.8.2-lp152.17.3.1 openSUSE Leap 15.2:libgcrypt20-hmac-32bit-1.8.2-lp152.17.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PPALT4SBPXXPFJVTZN5FQCXMNVH4GXCU/ https://www.suse.com/security/cve/CVE-2021-33560.html CVE-2021-33560 https://bugzilla.suse.com/1187212 SUSE Bug 1187212 https://bugzilla.suse.com/1189854 SUSE Bug 1189854 https://bugzilla.suse.com/1199664 SUSE Bug 1199664