Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 541568 - <app-crypt/gnupg-1.4.19: Two side-channel attacks (CVE-{2014-3591,2015-0837})
Summary: <app-crypt/gnupg-1.4.19: Two side-channel attacks (CVE-{2014-3591,2015-0837})
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 541788
  Show dependency tree
Reported: 2015-02-27 22:13 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-06-05 20:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-27 22:13:50 UTC
From ${URL}:
We are pleased to announce the availability of a new GnuPG classic
release: Version 1.4.19.  This release mitigates two new side channel

Updating any GnuPG 1.4 version to 1.4.19 is suggested!

To update a GnuPG 2.0 or 2.1 version you need to update the shared
library Libgcrypt to version 1.6.3.

The libgcrypt bump is handled in bug 541564

+*gnupg-1.4.19 (27 Feb 2015)
+  27 Feb 2015; Kristian Fiskerstrand <> +gnupg-1.4.19.ebuild:
+  Version bump of 1.4 series. This release mitigates two new side channel


Setting rating to B as the default installation is GnuPG 2.0, however 1.4 is still stabilized.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-28 14:18:49 UTC
Arches, please stabilize:
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-02 20:20:54 UTC
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2015-03-03 22:21:00 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-04 09:50:59 UTC
amd64 stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-03-06 22:17:16 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-25 16:07:47 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-03-26 11:22:48 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-26 11:29:56 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-30 09:51:15 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-03-30 10:03:49 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 20:24:53 UTC
Arches, Thank you for your work.

GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:19:03 UTC
Added to existing GLSA request (eb6e5a471)
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 19:37:28 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 19:40:11 UTC
+  11 May 2015; Kristian Fiskerstrand <> -gnupg-1.4.18.ebuild:
+  Remove vulnerable version c.f bug #541568
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-06-05 20:45:10 UTC
This issue was resolved and addressed in
 GLSA 201606-04 at
by GLSA coordinator Yury German (BlueKnight)