CVE-2016-6313

Description

The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.

How to fix CVE-2016-6313

To remediate CVE-2016-6313, upgrade the affected package to a fixed version below.

• Alpine/libgcrypt—upgrade to 1.7.0-r1 or later
• —upgrade to 1.4.12-7+deb7u8 or later
• —upgrade to 1.4.18-7+deb8u2 or later
• —upgrade to 1.4.21-1 or later
• —upgrade to 1.5.0-5+deb7u5 or later
• —upgrade to 1.7.3-1 or later
• —upgrade to 1.6.3-2+deb8u2 or later

Is CVE-2016-6313 being exploited?

Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 1.7.0-r1
• from 0, < 1.4.12-7+deb7u8
• from 0, < 1.4.18-7+deb8u2
• from 0, < 1.4.21-1
• from 0, < 1.5.0-5+deb7u5
• from 0, < 1.7.3-1
• from 0, < 1.6.3-2+deb8u2

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2016-6313
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-6313