[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update)
From: |
Mark H Weaver |
Subject: |
Re: [PATCH] gnu: libgcrypt: Update to 1.6.5. (security update) |
Date: |
Tue, 09 Feb 2016 15:15:38 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.90 (gnu/linux) |
Hi Chris,
Christopher Allan Webber <address@hidden> writes:
> Hello all,
>
> New security release of libgcrypt:
>
>> Hello!
>>
>> The GNU project is pleased to announce the availability of Libgcrypt
>> version 1.6.5. This is a security fix release to mitigate a new side
>> channel attack.
>>
>> Noteworthy changes in version 1.6.5
>> ===================================
>>
>> * Mitigate side-channel attack on ECDH with Weierstrass curves
>> [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
>> details.
>>
>> * Fix build problem on Solaris.
>
> Here's a patch. It seems to build fine.
>
> From f45b192c0e648fea95a98d681d8ecdff3dc15bdb Mon Sep 17 00:00:00 2001
> From: Christopher Allan Webber <address@hidden>
> Date: Tue, 9 Feb 2016 11:49:06 -0800
> Subject: [PATCH] gnu: libgcrypt: Update to 1.6.5.
>
> * gnu/packages/gnupg.scm (libgcrypt): Update to 1.6.5.
Thank you! The summary line should include the CVE, like this:
gnu: libgcrypt: Update to 1.6.5 [fixes CVE-2015-7511].
Alas, this will require at least 7000 rebuilds. After the current
'security-updates' branch is merged, this should go on the next
'security-updates' branch, together with more fixes for graphite2 and
libsndfile.
Mark