Date: Thu, 25 Jul 2013 22:56:06 +0000 (UTC) From: Jun Kuriyama <kuriyama@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r323675 - head/security/vuxml Message-ID: <201307252256.r6PMu6dp045282@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kuriyama Date: Thu Jul 25 22:56:06 2013 New Revision: 323675 URL: http://svnweb.freebsd.org/changeset/ports/323675 Log: Add an entry for security/gnupg1. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 25 22:16:50 2013 (r323674) +++ head/security/vuxml/vuln.xml Thu Jul 25 22:56:06 2013 (r323675) @@ -51,6 +51,42 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="80771b89-f57b-11e2-bf21-b499baab0cbe"> + <topic>gnupg -- side channel attack on RSA secret keys</topic> + <affects> + <package> + <name>gnupg</name> + <range><lt>1.4.14</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Yarom and Falkner paper reports:</p> + <blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html">; + <p>Flush+Reload is a cache side-channel attack that monitors access to + data in shared pages. In this paper we demonstrate how to use the + attack to extract private encryption keys from GnuPG. The high + resolution and low noise of the Flush+Reload attack enables a spy + program to recover over 98% of the bits of the private key in a + single decryption or signing round. Unlike previous attacks, the + attack targets the last level L3 cache. Consequently, the spy + program and the victim do not need to share the execution core of + the CPU. The attack is not limited to a traditional OS and can be + used in a virtualised environment, where it can attack programs + executing in a different VM..</p> + </blockquote> + </body> + </description> + <references> + <url>http://eprint.iacr.org/2013/448</url>; + <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>; + </references> + <dates> + <discovery>2013-07-18</discovery> + <entry>2013-07-25</entry> + </dates> + </vuln> + <vuln vid="c4d412c8-f4d1-11e2-b86c-000c295229d5"> <topic>openafs -- single-DES cell-wide key brute force vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307252256.r6PMu6dp045282>