Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 541568 - <app-crypt/gnupg-1.4.19: Two side-channel attacks (CVE-{2014-3591,2015-0837})
Summary: <app-crypt/gnupg-1.4.19: Two side-channel attacks (CVE-{2014-3591,2015-0837})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://lists.gnupg.org/pipermail/gnu...
Whiteboard: B3 [glsa]
Keywords:
Depends on: 541788
Blocks:
  Show dependency tree
 
Reported: 2015-02-27 22:13 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-06-05 20:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-27 22:13:50 UTC 
From ${URL}:
We are pleased to announce the availability of a new GnuPG classic
release: Version 1.4.19.  This release mitigates two new side channel
attacks.

Updating any GnuPG 1.4 version to 1.4.19 is suggested!

To update a GnuPG 2.0 or 2.1 version you need to update the shared
library Libgcrypt to version 1.6.3.

##
The libgcrypt bump is handled in bug 541564
##

+*gnupg-1.4.19 (27 Feb 2015)
+
+  27 Feb 2015; Kristian Fiskerstrand <k_f@gentoo.org> +gnupg-1.4.19.ebuild:
+  Version bump of 1.4 series. This release mitigates two new side channel
+

#

Setting rating to B as the default installation is GnuPG 2.0, however 1.4 is still stabilized.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-28 14:18:49 UTC 
Arches, please stabilize:
=app-crypt/gnupg-1.4.19
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-03-02 20:20:54 UTC 
Stable for HPPA.
Comment 3 Markus Meier gentoo-dev 2015-03-03 22:21:00 UTC 
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-04 09:50:59 UTC 
amd64 stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-03-06 22:17:16 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-03-25 16:07:47 UTC 
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-03-26 11:22:48 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-26 11:29:56 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-30 09:51:15 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-03-30 10:03:49 UTC 
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 20:24:53 UTC 
Arches, Thank you for your work.

GLSA Vote: Yes

Maintainer(s), please drop the vulnerable version(s).
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:19:03 UTC 
Added to existing GLSA request (eb6e5a471)
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-05-11 19:37:28 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 19:40:11 UTC 
+  11 May 2015; Kristian Fiskerstrand <k_f@gentoo.org> -gnupg-1.4.18.ebuild:
+  Remove vulnerable version c.f bug #541568
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2016-06-05 20:45:10 UTC 
This issue was resolved and addressed in
 GLSA 201606-04 at https://security.gentoo.org/glsa/201606-04
by GLSA coordinator Yury German (BlueKnight)