From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update) Date: Tue, 09 Feb 2016 15:15:38 -0500 Message-ID: <87oabpljx1.fsf@netris.org> References: <87si11y83q.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:57134) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aTEi2-00046G-M0 for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aTEhz-0000rc-Fm for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:26 -0500 Received: from world.peace.net ([50.252.239.5]:39954) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aTEhz-0000pZ-Bk for guix-devel@gnu.org; Tue, 09 Feb 2016 15:16:23 -0500 In-Reply-To: <87si11y83q.fsf@dustycloud.org> (Christopher Allan Webber's message of "Tue, 09 Feb 2016 11:52:54 -0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Christopher Allan Webber Cc: guix-devel@gnu.org Hi Chris, Christopher Allan Webber writes: > Hello all, > > New security release of libgcrypt: > >> Hello! >> >> The GNU project is pleased to announce the availability of Libgcrypt >> version 1.6.5. This is a security fix release to mitigate a new side >> channel attack. >> >> Noteworthy changes in version 1.6.5 >> =================================== >> >> * Mitigate side-channel attack on ECDH with Weierstrass curves >> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for >> details. >> >> * Fix build problem on Solaris. > > Here's a patch. It seems to build fine. > > From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001 > From: Christopher Allan Webber > Date: Tue, 9 Feb 2016 11:49:06 -0800 > Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5. > > * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5. Thank you! The summary line should include the CVE, like this: gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511]. Alas, this will require at least 7000 rebuilds. After the current 'security-updates' branch is merged, this should go on the next 'security-updates' branch, together with more fixes for graphite2 and libsndfile. Mark