From: Christopher Allan Webber <cwebber@dustycloud.org>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)
Date: Tue, 09 Feb 2016 12:31:02 -0800 [thread overview]
Message-ID: <87mvr9y6bd.fsf@dustycloud.org> (raw)
In-Reply-To: <87oabpljx1.fsf@netris.org>
[-- Attachment #1: Type: text/plain, Size: 1754 bytes --]
Mark H Weaver writes:
> Hi Chris,
>
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Hello all,
>>
>> New security release of libgcrypt:
>>
>>> Hello!
>>>
>>> The GNU project is pleased to announce the availability of Libgcrypt
>>> version 1.6.5. This is a security fix release to mitigate a new side
>>> channel attack.
>>>
>>> Noteworthy changes in version 1.6.5
>>> ===================================
>>>
>>> * Mitigate side-channel attack on ECDH with Weierstrass curves
>>> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>>> details.
>>>
>>> * Fix build problem on Solaris.
>>
>> Here's a patch. It seems to build fine.
>>
>> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
>> From: Christopher Allan Webber <cwebber@dustycloud.org>
>> Date: Tue, 9 Feb 2016 11:49:06 -0800
>> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>>
>> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
>
> Thank you! The summary line should include the CVE, like this:
>
> gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].
Okay! I wasn't aware of that convention.
> Alas, this will require at least 7000 rebuilds. After the current
> 'security-updates' branch is merged, this should go on the next
> 'security-updates' branch, together with more fixes for graphite2 and
> libsndfile.
Yes it's unfortunate... it seems like security researchers are upping
their game in the post-heartbleed world (whatever that means)? I guess
that's good... better good security researchers do this stuff than some
other unspecified groups... but kind of a headache here? :)
Anyway, new patch! I don't know what to do about the security-updates
branch so I'll let you apply/push it.
- Chris
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-gnu-libgcrypt-Update-to-1.6.5-fixes-CVE-2015-7511.patch --]
[-- Type: text/x-patch, Size: 1192 bytes --]
From 6fec07507956efd6f7055d37d268c97ca5771d8c Mon Sep 17 00:00:00 2001
From: Christopher Allan Webber <cwebber@dustycloud.org>
Date: Tue, 9 Feb 2016 11:49:06 -0800
Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].
* gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
---
gnu/packages/gnupg.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index a35e8fc..608c437 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -70,14 +70,14 @@ Daemon and possibly more in the future.")
(define-public libgcrypt
(package
(name "libgcrypt")
- (version "1.6.4")
+ (version "1.6.5")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-"
version ".tar.bz2"))
(sha256
(base32
- "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69"))))
+ "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl"))))
(build-system gnu-build-system)
(propagated-inputs
`(("libgpg-error-host" ,libgpg-error)))
--
2.6.3
next prev parent reply other threads:[~2016-02-09 20:31 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-09 19:52 [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update) Christopher Allan Webber
2016-02-09 20:15 ` Mark H Weaver
2016-02-09 20:31 ` Christopher Allan Webber [this message]
2016-02-10 14:46 ` Andreas Enge
2016-02-10 16:53 ` wip-pulseaudio (was Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)) Efraim Flashner
2016-02-10 18:41 ` Efraim Flashner
2016-02-10 18:55 ` Andreas Enge
2016-02-10 20:43 ` Andreas Enge
2016-02-10 20:46 ` [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update) Mark H Weaver
2016-02-10 20:56 ` Andreas Enge
2016-02-11 9:52 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mvr9y6bd.fsf@dustycloud.org \
--to=cwebber@dustycloud.org \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).