Vulnerability: developer council crypto library libgcrypt 1.9.0 not to be used

Vulnerability: Developer Council Krypto Library LibGcrypt 1.9.0 Not to be used

Due to a safety chake, developers should use the krypto library libgcrypt in the current version 1.9.0 no longer insert. A new ie is on the way.

In an envision, the author warns werner koch before using the vulnerable version. Libgcrypt is used among other things at gnupg. The ie 1.9.0 is still quite fresh (19. January 2021) and can not be used not yet flat-covering. Cooking is the krypto library but already in fedora 34 and gentoo.

In the warning he writes from one "severe mistake". Further information on the vulnerability is still out. Cook ares that a secure version will appear today.

In a safety advisory werner koch concert the availability of the new version libgcrypt 1.9.1, the one "critical security bug" fix. Accordingly, the security researcher tavis ormandy has discovered a possible buffer on the heap. This can easily be exploited to insert code and suffer. It is enough for the affected library to determine data of the attacker. Who libgcrypt 1.9.0 commits, should be urgently updated on the new version.

Leave a Reply

Your email address will not be published. Required fields are marked *