Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 567382 - [Tracking] dev-libs/libgcrypt 1.5 branch removal from stable
Summary: [Tracking] dev-libs/libgcrypt 1.5 branch removal from stable
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Crypto team [DISABLED]
URL:
Whiteboard:
Keywords: Tracker
Depends on: 567372 567376 567380 585366
Blocks: CVE-2014-3591 559942
  Show dependency tree
 
Reported: 2015-12-02 20:14 UTC by Alon Bar-Lev
Modified: 2018-05-23 22:58 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alon Bar-Lev gentoo-dev 2015-12-02 20:14:47 UTC
For some reason, I was under the impression that this has already been done.
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2015-12-03 19:32:34 UTC
You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin can use the new libgcrypt in a version bump
Comment 2 Alon Bar-Lev gentoo-dev 2015-12-03 19:37:33 UTC
(In reply to Brian Evans from comment #1)
> You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin
> can use the new libgcrypt in a version bump

hmmm... I thought that -bin packages are not going to stable branch.
we cannot make this libgcrypt stable as it has security issues see bug#541564.
Comment 3 Brian Evans Gentoo Infrastructure gentoo-dev 2015-12-03 19:44:22 UTC
(In reply to Alon Bar-Lev from comment #2)
> (In reply to Brian Evans from comment #1)
> > You will also need libgcrypt:11/11 stable or see if dev-db/xtrabackup-bin
> > can use the new libgcrypt in a version bump
> 
> hmmm... I thought that -bin packages are not going to stable branch.
> we cannot make this libgcrypt stable as it has security issues see
> bug#541564.

@idl0r: Now we have an issue with xtrabackup-bin needing libgcrypt.so.11.  Even the latest 2.3.2 upstream still looks for it.
Comment 4 Fabio Rossi 2016-01-20 13:38:00 UTC
Also latest vmware-workstation-12.1.0.3272444 (not yet in portage) is shipped with libgcrypt.so.11 (however I have not tested yet with latest libgcrypt version).
Comment 5 Pacho Ramos gentoo-dev 2016-05-19 13:41:33 UTC
As a side note (as I see multiple reverse dep from closed source packages needing it), it seems that Debian people are still maintaining the old .11 version for that (it is also the version Arch people are relying to for trying to have the security bugs fixed)
https://tracker.debian.org/pkg/libgcrypt11
Comment 6 Kristian Fiskerstrand gentoo-dev Security 2016-08-18 07:44:02 UTC
libgcrypt in branch 0/11 (stable 1.5) will be dropped soon, any application still requiring 1.5 will need to be changed to use 11/11 which means being dropped to ~arch as this slot will NOT be stabilized.

I'll bump 1.5.6 in 11/11 slot due to security bug, but this branch is not really still supported. Any application relying on 1.5 still should be fixed to use 1.7 (ABI and API compatible with 1.6
Comment 7 Kristian Fiskerstrand gentoo-dev Security 2016-08-18 08:40:14 UTC
The necessary reverse dependencies have already been properly updated, so removal is now done

commit d266cee915c186a65e4ac94e9726744c37077cdf
Author: Kristian Fiskerstrand <k_f@gentoo.org>
Date:   Thu Aug 18 10:38:10 2016 +0200

    dev-libs/libgcrypt: Remove vulnerable 1.5.5 in 0/11 slot
    
    This is the final package version in 0/11 slot
    
    Gentoo-Bug: 567382
    Gentoo-Bug: 591534
    
    Package-Manager: portage-2.3.0
Comment 8 Kristian Fiskerstrand gentoo-dev Security 2016-08-18 16:16:26 UTC
Removed from stable, sufficient for this tracker for now, will rather re-open if we want to drop testing support at a later stage