On St, 2016-07-20 at 15:32 +0000, Christian Stadelmann wrote:
I'm writing here since there are many known bugs (mostly fixed
upstream), including at least one CVE in a bunch of packages critical
to Fedora's integrity.
Version 1.7.2 is available: https://bugzilla.redhat.com/show_bug.cgi?
id=1306064 (note that 3 updates were missed)
CVE-2015-7511 libgcrypt: side-channel attack on ECDH with Weierstrass
curves [fedora-all]: https://bugzilla.redhat.com/show_bug.cgi?id=1306
Unfortunately libgcrypt-1.7 branch adds algorithms that are potentially
patent encumbered and I did not obtain response from legal yet. So
that's the reason why I did not move to 1.7 branch yet.
As for the CVE - is actually libgcrypt used for ECDH anywhere in
Fedora? If you provide backport of the fix to 1.6 branch I'll happily
gnupg2 hasn't seen an update in 2 months (3 versions) to Fedora
stable. According to this automatically created bug report https://bu
the maintainer has not
managed to ship the latest version in >1 year.
I've built gnupg-2.1.13 just recently in Rawhide and was planning to do
updates for released Fedoras but then upstream released a new version.
I plan to update Rawhide to it by this week and do updates for released
Fedoras in early August.
This is not only bad behavior of the maintainer, it also is a bad
sign on how security critical updates are handled in Fedora. Those
two packages are effectively unmaintained although all of Fedora's
security is based on them. This is a pretty ugly situation which
needs your attention and (probably) some action.
The second bug report against libgcrypt has an CVE assigned and
it is unfixed for months. This must not happen too. There should be
some mechanism to notify somebody if a maintainer doesn't act on CVEs
within 3 days.
If that was not a very low impact CVE I'd be willing to spend more time
on backporting the patch however it isn't.
No matter how far down the wrong road you've gone, turn back.
(You'll never know whether the road is wrong though.)