From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mark H Weaver <mhw@netris.org>
Subject: Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)
Date: Tue, 09 Feb 2016 15:15:38 -0500
Message-ID: <87oabpljx1.fsf@netris.org>
References: <87si11y83q.fsf@dustycloud.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57134)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1aTEi2-00046G-M0
	for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1aTEhz-0000rc-Fm
	for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:26 -0500
Received: from world.peace.net ([50.252.239.5]:39954)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mhw@netris.org>) id 1aTEhz-0000pZ-Bk
	for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:23 -0500
In-Reply-To: <87si11y83q.fsf@dustycloud.org> (Christopher Allan Webber's
	message of "Tue, 09 Feb 2016 11:52:54 -0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: Christopher Allan Webber <cwebber@dustycloud.org>
Cc: guix-devel@gnu.org

Hi Chris,

Christopher Allan Webber <cwebber@dustycloud.org> writes:

> Hello all,
>
> New security release of libgcrypt:
>
>> Hello!
>> 
>> The GNU project is pleased to announce the availability of Libgcrypt
>> version 1.6.5.  This is a security fix release to mitigate a new side
>> channel attack.
>> 
>> Noteworthy changes in version 1.6.5
>> ===================================
>> 
>>  * Mitigate side-channel attack on ECDH with Weierstrass curves
>>    [CVE-2015-7511].  See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>>    details.
>> 
>>  * Fix build problem on Solaris.
>
> Here's a patch.  It seems to build fine.
>
> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
> From: Christopher Allan Webber <cwebber@dustycloud.org>
> Date: Tue, 9 Feb 2016 11:49:06 -0800
> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>
> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.

Thank you!  The summary line should include the CVE, like this:

  gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].

Alas, this will require at least 7000 rebuilds.  After the current
'security-updates' branch is merged, this should go on the next
'security-updates' branch, together with more fixes for graphite2 and
libsndfile.

       Mark