CVE-2014-5270
libgcrypt11 - security update
EPSS 0.07%
Description
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
How to fix CVE-2014-5270
To remediate CVE-2014-5270, upgrade the affected package to a fixed version below.
- Debian/gnupg—upgrade to 1.4.10-4+squeeze6 or later
- Debian/gnupg—upgrade to 1.4.12-7+deb7u6 or later
- —upgrade to 1.4.5-2+squeeze2 or later
- —upgrade to 1.5.0-5+deb7u2 or later
- —upgrade to 1.6.0-2 or later
Is CVE-2014-5270 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 1.4.10-4+squeeze6
- from 0, < 1.4.12-7+deb7u6
- from 0, < 1.4.5-2+squeeze2
- from 0, < 1.5.0-5+deb7u2
- from 0, < 1.6.0-2