The following updates has been released for Debian GNU/Linux 7 LTS:
[DLA 1015-1] libgcrypt11 security update
[DLA 1016-1] radare2 security update
[DLA 1015-1] libgcrypt11 security update
[DLA 1016-1] radare2 security update
[DLA 1015-1] libgcrypt11 security update
Package : libgcrypt11
Version : 1.5.0-5+deb7u6
CVE ID : CVE-2017-7526
It was discovered that there was a key disclosure vulnerability in libgcrypt11
a library of cryptographic routines:
It is well known that constant-time implementations of modular exponentiation
cannot use sliding windows. However, software libraries such as Libgcrypt,
used by GnuPG, continue to use sliding windows. It is widely believed that,
even if the complete pattern of squarings and multiplications is observed
through a side-channel attack, the number of exponent bits leaked is not
sufficient to carry out a full key-recovery attack against RSA.
Specifically, 4-bit sliding windows leak only 40% of the bits, and 5-bit
sliding windows leak only 33% of the bits.
-- Sliding right into disaster: Left-to-right sliding windows leak
https://eprint.iacr.org/2017/627
For Debian 7 "Wheezy", this issue has been fixed in libgcrypt11 version
1.5.0-5+deb7u6.
We recommend that you upgrade your libgcrypt11 packages.
[DLA 1016-1] radare2 security update
Package : radare2
Version : 0.9-3+deb7u3
CVE ID : CVE-2017-10929
Debian Bug : #867369
It was discovered that there was a heap-based buffer overflow in radare2, a
reverse-engineering framework. The grub_memmove function allowed attackers to
cause a remote denial of service.
For Debian 7 "Wheezy", this issue has been fixed in radare2 version
0.9-3+deb7u3.
We recommend that you upgrade your radare2 packages.