On 08/08/14 14:02, Tristan Santore wrote:
On 08/08/14 13:46, Jan Rusnacko wrote:
> Hello Tristan,
>
> thank you for creating a bugzilla, this seems worthy further investigation. Do you
have any information whether fix for this issue is available in upstream version of
libgcrypt ? Also, if you have any additional reports about this flaw, would you mind
attaching those to the bugzilla ?
>
> Thank you !
>
> On 08.08.2014 13:03, Tristan Santore wrote:
>> Dear All,
>>
>> Werner has just pointed out that libgcrypt 1.5.3 is vulnerable to a
>> ELGAMAL side-channel attack.
>>
>>
https://bugzilla.redhat.com/show_bug.cgi?id=1128130
>>
>> I added the bugzilla as tracker bug and to add transparency to Fedora.
>>
>> Regards,
>>
>> Tristan
>>
Yes, Werner (upstream) said, that the next 1.2x version fixes it.
Regards,
Tristan
Sorry 1.5.4. I have been up all night, brain seems to having a
malfunction. Haha!
Werner does state that the 1.6 branches should be used really. So not
sure how this will work with our version stability rules. See quotation
below.
To quote:
The recommendation is to update any Libgcrypt version below 1.6.0 to
at
least the latest version from the 1.5 series which is 1.5.4. Updating
to 1.6.1 is also possible but that requires to rebuild GnuPG.
Libgcrypt 1.5.4 has been released yesterday [3]; for convenience I
include the download instructions below. A CVE-id has not yet been
assigned.
Many thanks to Daniel Genkin for pointing out this problem.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org