libgcrypt 1.9 appears to have a few security fixes: - Fix infinite loop due to applications using fork the wrong way. [#3491][also in 1.8.4] - Fix possible leak of a few bits of secret primes to pageable memory. [#3848][also in 1.8.4] - Fix possible hang in the RNG (1.8.3 only). [#4034][also in 1.8.4] - Use blinding for ECDSA signing to mitigate a novel side-channel attack. [#4011,CVE-2018-0495] [also in 1.8.3, 1.7.10] - Fix rare assertion failure in gcry_prime_check. [also in 1.8.3] - Add mitigation against ECC timing attack CVE-2019-13626. [#4626] The CVE here was CVE-2019-13627 according to the upstream issue, not CVE-2019-13626.
Just to be clear here, CVE-2019-13627 seems to be the only fix that is not in currently available versions in Gentoo. We have 1.8.6 in stable and 1.8.7 in unstable.
1.9.0 is in the tree
x86 done
amd64 done
arm done
arm64 done
Unable to check for sanity: > package masked: dev-libs/libgcrypt-1.9.0
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d554d368f2cc68c944b92c2a64be391ca272eac1 commit d554d368f2cc68c944b92c2a64be391ca272eac1 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-29 13:10:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-29 13:10:07 +0000 dev-libs/libgcrypt: (security) bump to 1.9.1 This includes a critical security fix on 1.9.0 (currently masked). Note that the mask on 1.9.0 currently forces a downgrade to the safe 1.8.x series. Bug: https://bugs.gentoo.org/767814 Bug: https://bugs.gentoo.org/766213 Closes: https://bugs.gentoo.org/766423 Closes: https://bugs.gentoo.org/766429 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libgcrypt/Manifest | 2 +- .../libgcrypt/{libgcrypt-1.9.0.ebuild => libgcrypt-1.9.1.ebuild} | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-)
Unable to check for sanity: > no match for package: dev-libs/libgcrypt-1.9.0
All sanity-check issues have been resolved
We'll just GLSA it with the other one.
Unable to check for sanity: > no match for package: dev-libs/libgcrypt-1.9.1
Resetting sanity check; package list is empty or all packages are done.
Package list is empty or all packages have requested keywords.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=65e8a66a03a13ff76fb2733745a316822ef89c7e commit 65e8a66a03a13ff76fb2733745a316822ef89c7e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 01:09:53 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 01:40:14 +0000 [ GLSA 202210-13 ] libgcrypt: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/766213 Bug: https://bugs.gentoo.org/795480 Bug: https://bugs.gentoo.org/811900 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-13.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)
GLSA released, all done!