Package: libgcrypt20 Severity: important X-Debbugs-CC: whonix-de...@whonix.org
Dear maintainer, Quote Werner Koch [1]: > We have to announce the availability of Libgcrypt version 1.9.1. This version fixes a *critical security bug* in the recently released version 1.9.0. If you are already using 1.9.0 please update immediately to 1.9.1. > On 2021-01-28 Tavis Ormandy contacted us to report a severe bug in 1.9.0 which he found while testing GnuPG: >> There is a heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs. > A CVE-id has not yet been assigned. > We track this bug at https://dev.gnupg.org/T5275 Cheers, Patrick [1] https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html [2] https://dev.gnupg.org/T5275
