svn commit: r324830 - in head/security: libgcrypt vuxml

Brendan Fabeny bf at FreeBSD.org
Sat Aug 17 07:56:13 UTC 2013 

Author: bf
Date: Sat Aug 17 07:56:12 2013
New Revision: 324830
URL: http://svnweb.freebsd.org/changeset/ports/324830

Log:
  Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg
  and libgcrypt vulnerability
  
  PR:		181231
  Submitted by:	Hirohisa Yamaguchi (maintainer) [1]
  Security:	http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html

Modified:
  head/security/libgcrypt/Makefile
  head/security/libgcrypt/distinfo   (contents, props changed)
  head/security/vuxml/vuln.xml

Modified: head/security/libgcrypt/Makefile
==============================================================================
--- head/security/libgcrypt/Makefile	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/libgcrypt/Makefile	Sat Aug 17 07:56:12 2013	(r324830)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	libgcrypt
-PORTVERSION=	1.5.2
+PORTVERSION=	1.5.3
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	${PORTNAME}

Modified: head/security/libgcrypt/distinfo
==============================================================================
--- head/security/libgcrypt/distinfo	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/libgcrypt/distinfo	Sat Aug 17 07:56:12 2013	(r324830)
@@ -1,2 +1,2 @@
-SHA256 (libgcrypt-1.5.2.tar.bz2) = e41a4339f50294f3c925f2f71aaf2427eb162d2994da91666dfc32621afe963f
-SIZE (libgcrypt-1.5.2.tar.bz2) = 1507418
+SHA256 (libgcrypt-1.5.3.tar.bz2) = bcf5334e7da352c45de6aec5d2084ce9a1d30029ff4a4a5da13f1848874759d1
+SIZE (libgcrypt-1.5.3.tar.bz2) = 1508530

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/vuxml/vuln.xml	Sat Aug 17 07:56:12 2013	(r324830)
@@ -51,6 +51,41 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="689c2bf7-0701-11e3-9a25-002590860428">
+    <topic>GnuPG and Libgcrypt -- side-channel attack vulnerability</topic>
+    <affects>
+      <package>
+	<name>gnupg</name>
+	<range><lt>1.4.14</lt></range>
+      </package>
+      <package>
+	<name>libgcrypt</name>
+	<range><lt>1.5.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Werner Koch of the GNU project reports:</p>
+	<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html">
+	  <p>Noteworthy changes in version 1.5.3:</p>
+	  <p>Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...</p>
+	  <p>Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above
+	  problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG
+	  1.4.14.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+    <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html</url>
+    <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
+    <url>http://eprint.iacr.org/2013/448</url>
+    </references>
+    <dates>
+      <discovery>2013-07-18</discovery>
+      <entry>2013-08-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
     <topic>puppet -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-head mailing list