Mark H Weaver writes: > Hi Chris, > > Christopher Allan Webber writes: > >> Hello all, >> >> New security release of libgcrypt: >> >>> Hello! >>> >>> The GNU project is pleased to announce the availability of Libgcrypt >>> version 1.6.5. This is a security fix release to mitigate a new side >>> channel attack. >>> >>> Noteworthy changes in version 1.6.5 >>> =================================== >>> >>> * Mitigate side-channel attack on ECDH with Weierstrass curves >>> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for >>> details. >>> >>> * Fix build problem on Solaris. >> >> Here's a patch. It seems to build fine. >> >> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001 >> From: Christopher Allan Webber >> Date: Tue, 9 Feb 2016 11:49:06 -0800 >> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5. >> >> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5. > > Thank you! The summary line should include the CVE, like this: > > gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511]. Okay! I wasn't aware of that convention. > Alas, this will require at least 7000 rebuilds. After the current > 'security-updates' branch is merged, this should go on the next > 'security-updates' branch, together with more fixes for graphite2 and > libsndfile. Yes it's unfortunate... it seems like security researchers are upping their game in the post-heartbleed world (whatever that means)? I guess that's good... better good security researchers do this stuff than some other unspecified groups... but kind of a headache here? :) Anyway, new patch! I don't know what to do about the security-updates branch so I'll let you apply/push it. - Chris