Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Aug 2016 19:58:19 +0300
From: Solar Designer <>
Cc: Werner Koch <>
Subject: Libgcrypt and GnuPG 1.4 RNG output prediction


This was just announced on gnupg-announce and Twitter @gnupg, and I
think it should also be in here:

> Felix Drre and Vladimir Klebanov from the Karlsruhe Institute of
> Technology found a bug in the mixing functions of Libgcrypt's random
> number generator: An attacker who obtains 4640 bits from the RNG can
> trivially predict the next 160 bits of output.  This bug exists since
> 1998 in all GnuPG and Libgcrypt versions.
> Impact
> ======
> All Libgcrypt and GnuPG versions released before 2016-08-17 are affected
> on all platforms.
> A first analysis on the impact of this bug in GnuPG shows that existing
> RSA keys are not weakened.  For DSA and Elgamal keys it is also unlikely
> that the private key can be predicted from other public information.
> This needs more research and I would suggest _not to_ overhasty revoke
> keys.

Also off Twitter:

<@rgacogne> @gnupg @solardiz The CVE number (CVE-2016-6316) seems to have been used to track another security issue rubygem-actionview, is that correct?

There does in fact appear to be a CVE ID clash, with:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.