[pkg-gnupg-maint] Bug#834327: jessie-pu: package gnupg2/2.0.26-6+deb8u1
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 14 14:00:01 UTC 2016
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu
Dear SRM
I would like to propose the following hardening to src:gnupg2 which was
found during the analysis of a vulnerability report to the security team
and related to
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf
and developed by NIIBE Yutaka. The underlying problem in hardware cannot
be solved in software (and thus we don't want to issue a DSA for it, and
give possibly this false impression), and as pointed out by Florian
there are some other open questions regarding the paper and the attacks
described there.
The GnuPG upstream repository contains the testcase to verify the fix,
as
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7dcad0d3503ac0d75e09efb16246dd78518986fc
The fix for gnupg is in experimental in the src:gnupg2 source package
with commits (2.1.14-4):
https://anonscm.debian.org/cgit/pkg-gnupg/gnupg2.git/commit/?h=experimental&id=5819eecbfe06ad18744739026d8f805856dd4622
and migrated now to unstable, with a new upload on 2016-08-13.
Thanks in advance,
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg2_2.0.26-6+deb8u1.debdiff
Type: text/x-diff
Size: 4650 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20160814/64624008/attachment.diff>
More information about the pkg-gnupg-maint
mailing list