Hi! The GnuPG Project is pleased to announce the availability of Libgcrypt version 1.8.5. This release fixes an ECDSA side-channel attack. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. Noteworthy changes in version 1.8.5 =================================== * Bug fixes: - Add mitigation against an ECDSA timing attack. [T4626,CVE-2019-13627] - Improve ECDSA unblinding. * Other features: - Provide a pkg-config file for libgcrypt. Release-info: https://dev.gnupg.org/T4683
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7dcf27c125de973322f6b2199731e689837d714b commit 7dcf27c125de973322f6b2199731e689837d714b Author: Kristian Fiskerstrand <k_f@gentoo.org> AuthorDate: 2019-08-30 08:59:15 +0000 Commit: Kristian Fiskerstrand <k_f@gentoo.org> CommitDate: 2019-08-30 08:59:43 +0000 dev-libs/libgcrypt: New upstream version 1.8.5 Bug: https://bugs.gentoo.org/693108 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Kristian Fiskerstrand <k_f@gentoo.org> dev-libs/libgcrypt/Manifest | 1 + dev-libs/libgcrypt/libgcrypt-1.8.5.ebuild | 76 +++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+)
Arches, please stabilize dev-libs/libgcrypt-1.8.5
alpha stable
s390 stable
ppc stable
amd64 stable
ppc64 stable
sparc stable
x86 stable
hppa stable
arm stable
arm64 stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-32 at https://security.gentoo.org/glsa/202003-32 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
SuperH port disbanded.
m68k dropped stable keywords
@maintainer(s), please cleanup
CVE-2019-12904 (https://nvd.nist.gov/vuln/detail/CVE-2019-12904): In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)
@maintainer(s), ping, please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8523b6a86cb32972ea1f06e2bab05a89e9e4157 commit b8523b6a86cb32972ea1f06e2bab05a89e9e4157 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 00:55:44 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 00:56:05 +0000 dev-libs/libgcrypt: drop vulnerable Bug: https://bugs.gentoo.org/693108 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-libs/libgcrypt/Manifest | 2 - dev-libs/libgcrypt/libgcrypt-1.8.3-r1.ebuild | 75 ---------------------------- dev-libs/libgcrypt/libgcrypt-1.8.3.ebuild | 74 --------------------------- dev-libs/libgcrypt/libgcrypt-1.8.4.ebuild | 75 ---------------------------- 4 files changed, 226 deletions(-)