[pkg-gnupg-maint] Bug#834326: jessie-pu: package gnupg/1.4.18-7+deb8u2
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 14 13:58:28 UTC 2016
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu
Dear SRM
I would like to propose the following hardening to src:gnupg which was
found during the analysis of a vulnerability report to the security team
and related to
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
and developed by NIIBE Yutaka. The underlying problem in hardware cannot
be solved in software (and thus we don't want to issue a DSA for it, and
give possibly this false impression), and as pointed out by Florian
there are some other open questions regarding the paper and the attacks
described there.
The GnuPG upstream repository contains the testcase to verify the fix,
as
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7dcad0d3503ac0d75e09efb16246dd78518986fc
The fix for gnupg is in experimental in the src:gnupg1 source package
with commits (1.4.20-6+exp5):
https://anonscm.debian.org/git/pkg-gnupg/gnupg1.git/commit/?h=experimental&id=5ed457210d69f95ea253221e14e6f8a8c8da0a5f
and migrated now to unstable, with a new upload on 2016-08-13.
Thanks in advance,
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg_1.4.18-7+deb8u2.debdiff
Type: text/x-diff
Size: 4528 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160814/8a17691c/attachment.diff>
More information about the pkg-gnupg-maint
mailing list