[OE-core] [PATCH] libgcrypt: CVE-2017-9526
Burton, Ross
ross.burton at intel.com
Thu Jun 22 09:52:38 UTC 2017
On 22 June 2017 at 09:23, Ovidiu Panait <ovpanait at gmail.com> wrote:
> In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session key
> (from side-channel observation during the signing process) can easily
> recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change
> to store this session key in secure memory, to ensure that constant-time
> point operations are used in the MPI library.
>
An upgrade to 1.7.7 is preferred as we're not upgrade-frozen right now.
Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20170622/99b3ed51/attachment-0002.html>
More information about the Openembedded-core
mailing list