Bug 181231 - [maintainer] security/libgcrypt security update to 1.5.3
Summary: [maintainer] security/libgcrypt security update to 1.5.3
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Brendan Fabeny
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-11 23:30 UTC by Hirohisa Yamaguchi
Modified: 2013-08-17 09:05 UTC (History)
0 users

See Also:


Attachments
file.diff (884 bytes, patch)
2013-08-11 23:30 UTC, Hirohisa Yamaguchi
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hirohisa Yamaguchi 2013-08-11 23:30:00 UTC
	The new version of security/libgcrypt 1.5.3 is available.
	Release announcement: http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html

Fix: The patch follows:
How-To-Repeat: 	N/A
Comment 1 Brendan Fabeny freebsd_committer freebsd_triage 2013-08-17 06:28:54 UTC
Responsible Changed
From-To: freebsd-ports-bugs->bf

I'll take it.
Comment 2 dfilter service freebsd_committer freebsd_triage 2013-08-17 08:56:25 UTC
Author: bf
Date: Sat Aug 17 07:56:12 2013
New Revision: 324830
URL: http://svnweb.freebsd.org/changeset/ports/324830

Log:
  Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg
  and libgcrypt vulnerability
  
  PR:		181231
  Submitted by:	Hirohisa Yamaguchi (maintainer) [1]
  Security:	http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html

Modified:
  head/security/libgcrypt/Makefile
  head/security/libgcrypt/distinfo   (contents, props changed)
  head/security/vuxml/vuln.xml

Modified: head/security/libgcrypt/Makefile
==============================================================================
--- head/security/libgcrypt/Makefile	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/libgcrypt/Makefile	Sat Aug 17 07:56:12 2013	(r324830)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	libgcrypt
-PORTVERSION=	1.5.2
+PORTVERSION=	1.5.3
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	${PORTNAME}

Modified: head/security/libgcrypt/distinfo
==============================================================================
--- head/security/libgcrypt/distinfo	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/libgcrypt/distinfo	Sat Aug 17 07:56:12 2013	(r324830)
@@ -1,2 +1,2 @@
-SHA256 (libgcrypt-1.5.2.tar.bz2) = e41a4339f50294f3c925f2f71aaf2427eb162d2994da91666dfc32621afe963f
-SIZE (libgcrypt-1.5.2.tar.bz2) = 1507418
+SHA256 (libgcrypt-1.5.3.tar.bz2) = bcf5334e7da352c45de6aec5d2084ce9a1d30029ff4a4a5da13f1848874759d1
+SIZE (libgcrypt-1.5.3.tar.bz2) = 1508530

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Aug 17 07:44:35 2013	(r324829)
+++ head/security/vuxml/vuln.xml	Sat Aug 17 07:56:12 2013	(r324830)
@@ -51,6 +51,41 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="689c2bf7-0701-11e3-9a25-002590860428">
+    <topic>GnuPG and Libgcrypt -- side-channel attack vulnerability</topic>
+    <affects>
+      <package>
+	<name>gnupg</name>
+	<range><lt>1.4.14</lt></range>
+      </package>
+      <package>
+	<name>libgcrypt</name>
+	<range><lt>1.5.3</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Werner Koch of the GNU project reports:</p>
+	<blockquote cite="http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html">
+	  <p>Noteworthy changes in version 1.5.3:</p>
+	  <p>Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...</p>
+	  <p>Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above
+	  problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG
+	  1.4.14.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+    <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html</url>
+    <url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html</url>
+    <url>http://eprint.iacr.org/2013/448</url>
+    </references>
+    <dates>
+      <discovery>2013-07-18</discovery>
+      <entry>2013-08-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2b2f6092-0694-11e3-9e8e-000c29f6ae42">
     <topic>puppet -- multiple vulnerabilities</topic>
     <affects>
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 3 Brendan Fabeny freebsd_committer freebsd_triage 2013-08-17 09:05:46 UTC
State Changed
From-To: open->closed

Committed. Thanks!