Re: libgcrypt - CVE-2015-7511

Tue, 23 Feb 2016 07:49:14 -0800 

On 02/23/16 13:45, Antoine Jacoutot wrote:
> On Tue, Feb 23, 2016 at 01:22:26PM +0000, Sevan Janiyan wrote:
>> Version of security/libgcrypt is vulnerable to CVE-2015-7511
>> https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html
> 
> Thanks.
> 
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/libgcrypt/Makefile,v
> retrieving revision 1.40
> diff -u -p -r1.40 Makefile
> --- Makefile  9 Sep 2015 07:46:44 -0000       1.40
> +++ Makefile  23 Feb 2016 13:45:02 -0000
> @@ -2,10 +2,10 @@
>  
>  COMMENT=             crypto library based on code used in GnuPG
>  
> -DISTNAME=            libgcrypt-1.6.4
> +DISTNAME=            libgcrypt-1.6.5
>  CATEGORIES=          security
>  
> -SHARED_LIBS +=  gcrypt               19.2     # 20.4
> +SHARED_LIBS +=  gcrypt               19.2     # 20.5
>  
>  HOMEPAGE=            http://www.gnupg.org/
>  
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/libgcrypt/distinfo,v
> retrieving revision 1.18
> diff -u -p -r1.18 distinfo
> --- distinfo  9 Sep 2015 07:46:44 -0000       1.18
> +++ distinfo  23 Feb 2016 13:45:02 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (libgcrypt-1.6.4.tar.gz) = 
> XCB2ISlhcS5HdKvzLIXLWFN9VE1gFqJGT7Mng2U9G20=
> -SIZE (libgcrypt-1.6.4.tar.gz) = 2970656
> +SHA256 (libgcrypt-1.6.5.tar.gz) = 
> ICvxCczy1hRWXISfPlaHuUzelyFns1Jh4JQlI2die8Y=
> +SIZE (libgcrypt-1.6.5.tar.gz) = 2970811
> 
> 
I saw this on debian security updates just over 1 week ago,

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3478-1                   secur...@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 15, 2016                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libgcrypt11
CVE ID         : CVE-2015-7511

Daniel Genkin, Lev Pachmanov, Itamar Pipman and Eran Tromer discovered
that the ECDH secret decryption keys in applications using the
libgcrypt11 library could be leaked via a side-channel attack.

See https://www.cs.tau.ac.IL/~tromer/ecdh/ for details.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.5.0-5+deb7u4.

We recommend that you upgrade your libgcrypt11 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org



the question is why didn't portroach see the update, shortly after 1.6.5
was released? Does something else need changing?

Reply via email to