On St, 2016-07-20 at 16:42 +0000, Christian Stadelmann wrote:
> On St, 2016-07-20 at 15:32 +0000, Christian Stadelmann wrote:
> Unfortunately libgcrypt-1.7 branch adds algorithms that are
> patent encumbered and I did not obtain response from legal yet. So
> that's the reason why I did not move to 1.7 branch yet.
Ok, so it isn't unmaintained. That's good news. From having no
answers to those bug reports I assumed nobody would care. Looks like
> As for the CVE - is actually libgcrypt used for ECDH anywhere in
> Fedora? If you provide backport of the fix to 1.6 branch I'll
> apply it.
How about updating to 1.6.5, which is just the CVE fix + a build fix?
It doesn't include any new algorithms at all, so there is no need to
Adding a note to the libgcrypt bug would be useful.
I will update libgcrypt to 1.6.5.
> > This is not only bad behavior of the maintainer, it also is a bad
> > sign on how security critical updates are handled in Fedora.
> > Those
> > two packages are effectively unmaintained although all of
> > Fedora's
> > security is based on them. This is a pretty ugly situation which
> > needs your attention and (probably) some action.
Luckily, it isn't as bad as it looked to me. Sorry for the harsh
tone. From seeing no reactions to any of these bugs I concluded that
nobody was caring.
> If that was not a very low impact CVE I'd be willing to spend more
> time on backporting the patch however it isn't.
Still, it is a CVE. And there is no need to backport it, just update
libgcrypt to 1.6.5.
For some reason I did not notice the release of 1.6.5. I am sorry for
No matter how far down the wrong road you've gone, turn back.
(You'll never know whether the road is wrong though.)