From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update) Date: Tue, 09 Feb 2016 12:31:02 -0800 Message-ID: <87mvr9y6bd.fsf@dustycloud.org> References: <87si11y83q.fsf@dustycloud.org> <87oabpljx1.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33058) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aTEwF-0008Rp-F3 for guix-devel@gnu.org; Tue, 09 Feb 2016 15:31:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aTEwC-0004q5-8R for guix-devel@gnu.org; Tue, 09 Feb 2016 15:31:07 -0500 Received: from dustycloud.org ([50.116.34.160]:56998) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aTEwC-0004p4-5A for guix-devel@gnu.org; Tue, 09 Feb 2016 15:31:04 -0500 In-reply-to: <87oabpljx1.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Mark H Weaver writes: > Hi Chris, > > Christopher Allan Webber writes: > >> Hello all, >> >> New security release of libgcrypt: >> >>> Hello! >>> >>> The GNU project is pleased to announce the availability of Libgcrypt >>> version 1.6.5. This is a security fix release to mitigate a new side >>> channel attack. >>> >>> Noteworthy changes in version 1.6.5 >>> =================================== >>> >>> * Mitigate side-channel attack on ECDH with Weierstrass curves >>> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for >>> details. >>> >>> * Fix build problem on Solaris. >> >> Here's a patch. It seems to build fine. >> >> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001 >> From: Christopher Allan Webber >> Date: Tue, 9 Feb 2016 11:49:06 -0800 >> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5. >> >> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5. > > Thank you! The summary line should include the CVE, like this: > > gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511]. Okay! I wasn't aware of that convention. > Alas, this will require at least 7000 rebuilds. After the current > 'security-updates' branch is merged, this should go on the next > 'security-updates' branch, together with more fixes for graphite2 and > libsndfile. Yes it's unfortunate... it seems like security researchers are upping their game in the post-heartbleed world (whatever that means)? I guess that's good... better good security researchers do this stuff than some other unspecified groups... but kind of a headache here? :) Anyway, new patch! I don't know what to do about the security-updates branch so I'll let you apply/push it. - Chris --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-libgcrypt-Update-to-1.6.5-fixes-CVE-2015-7511.patch >From 6fec07507956efd6f7055d37d268c97ca5771d8c Mon Sep 17 00:00:00 2001 From: Christopher Allan Webber Date: Tue, 9 Feb 2016 11:49:06 -0800 Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511]. * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5. --- gnu/packages/gnupg.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm index a35e8fc..608c437 100644 --- a/gnu/packages/gnupg.scm +++ b/gnu/packages/gnupg.scm @@ -70,14 +70,14 @@ Daemon and possibly more in the future.") (define-public libgcrypt (package (name "libgcrypt") - (version "1.6.4") + (version "1.6.5") (source (origin (method url-fetch) (uri (string-append "mirror://gnupg/libgcrypt/libgcrypt-" version ".tar.bz2")) (sha256 (base32 - "09k06gs27gxfha07sa9rpf4xh6mvphj9sky7n09ymx75w9zjrg69")))) + "0959mwfzsxhallxdqlw359xg180ll2skxwyy35qawmfl89cbr7pl")))) (build-system gnu-build-system) (propagated-inputs `(("libgpg-error-host" ,libgpg-error))) -- 2.6.3 --=-=-=--