Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Sep 2015 12:55:15 +0200
From: Florian Weimer <>
Subject: Re: CVE Request: libgcrypt hardening for RSA-CRT leak

On 09/08/2015 12:05 PM, Marcus Meissner wrote:
> Hi,
> Redhat has published a paper on RSA-CRT keyleakage.
> There was a CVE assigned for this issue CVE-2015-5738, but the software scope of this assigned is not clear.
> libgcrypt has published a hardening fix for the same issue.
> Should it get a new CVE?

For context, Oracle has assigned CVE-2015-0478 for the missing hardening
in the default JCE implementation:

This case is similar to libgcrypt, I believe: no key leaks have been
attributed to this implementation, the change is purely hardening in
this sense (and I would not have assigned a CVE ID to this).

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ