Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
Hello Tristan,
thank you for creating a bugzilla, this seems worthy further investigation. Do you have any information whether fix for this issue is available in upstream version of libgcrypt ? Also, if you have any additional reports about this flaw, would you mind attaching those to the bugzilla ?
Thank you !
On 08.08.2014 13:03, Tristan Santore wrote:
Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
On 08/08/14 13:46, Jan Rusnacko wrote:
Hello Tristan,
thank you for creating a bugzilla, this seems worthy further investigation. Do you have any information whether fix for this issue is available in upstream version of libgcrypt ? Also, if you have any additional reports about this flaw, would you mind attaching those to the bugzilla ?
Thank you !
On 08.08.2014 13:03, Tristan Santore wrote:
Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
Yes, Werner (upstream) said, that the next 1.2x version fixes it.
Regards,
Tristan
On 08/08/14 14:02, Tristan Santore wrote:
On 08/08/14 13:46, Jan Rusnacko wrote:
Hello Tristan,
thank you for creating a bugzilla, this seems worthy further investigation. Do you have any information whether fix for this issue is available in upstream version of libgcrypt ? Also, if you have any additional reports about this flaw, would you mind attaching those to the bugzilla ?
Thank you !
On 08.08.2014 13:03, Tristan Santore wrote:
Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
Yes, Werner (upstream) said, that the next 1.2x version fixes it.
Regards,
Tristan
Sorry 1.5.4. I have been up all night, brain seems to having a malfunction. Haha! Werner does state that the 1.6 branches should be used really. So not sure how this will work with our version stability rules. See quotation below.
To quote:
The recommendation is to update any Libgcrypt version below 1.6.0 to at least the latest version from the 1.5 series which is 1.5.4. Updating to 1.6.1 is also possible but that requires to rebuild GnuPG.
Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I include the download instructions below. A CVE-id has not yet been assigned.
Many thanks to Daniel Genkin for pointing out this problem.
Regards, Tristan
On 08.08.2014 15:08, Tristan Santore wrote:
On 08/08/14 14:02, Tristan Santore wrote:
On 08/08/14 13:46, Jan Rusnacko wrote:
Hello Tristan,
thank you for creating a bugzilla, this seems worthy further investigation. Do you have any information whether fix for this issue is available in upstream version of libgcrypt ? Also, if you have any additional reports about this flaw, would you mind attaching those to the bugzilla ?
Thank you !
On 08.08.2014 13:03, Tristan Santore wrote:
Dear All,
Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a ELGAMAL side-channel attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
I added the bugzilla as tracker bug and to add transparency to Fedora.
Regards,
Tristan
Yes, Werner (upstream) said, that the next 1.2x version fixes it.
Regards,
Tristan
Sorry 1.5.4. I have been up all night, brain seems to having a malfunction. Haha! Werner does state that the 1.6 branches should be used really. So not sure how this will work with our version stability rules. See quotation below.
To quote:
The recommendation is to update any Libgcrypt version below 1.6.0 to at least the latest version from the 1.5 series which is 1.5.4. Updating to 1.6.1 is also possible but that requires to rebuild GnuPG.
Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I include the download instructions below. A CVE-id has not yet been assigned.
Many thanks to Daniel Genkin for pointing out this problem.
Regards, Tristan
Awesome info, thank you !!
security-team@lists.fedoraproject.org