From owner-svn-ports-head@FreeBSD.ORG Sat Aug 17 07:56:13 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id AA613DBA; Sat, 17 Aug 2013 07:56:13 +0000 (UTC) (envelope-from bf@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 88F552AC5; Sat, 17 Aug 2013 07:56:13 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7H7uDnY004916; Sat, 17 Aug 2013 07:56:13 GMT (envelope-from bf@svn.freebsd.org) Received: (from bf@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7H7uCEF004913; Sat, 17 Aug 2013 07:56:12 GMT (envelope-from bf@svn.freebsd.org) Message-Id: <201308170756.r7H7uCEF004913@svn.freebsd.org> From: Brendan Fabeny Date: Sat, 17 Aug 2013 07:56:12 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r324830 - in head/security: libgcrypt vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Aug 2013 07:56:13 -0000 Author: bf Date: Sat Aug 17 07:56:12 2013 New Revision: 324830 URL: http://svnweb.freebsd.org/changeset/ports/324830 Log: Update security/libgcrypt to 1.5.3 [1], and document the latest gnupg and libgcrypt vulnerability PR: 181231 Submitted by: Hirohisa Yamaguchi (maintainer) [1] Security: http://www.vuxml.org/freebsd/689c2bf7-0701-11e3-9a25-002590860428.html Modified: head/security/libgcrypt/Makefile head/security/libgcrypt/distinfo (contents, props changed) head/security/vuxml/vuln.xml Modified: head/security/libgcrypt/Makefile ============================================================================== --- head/security/libgcrypt/Makefile Sat Aug 17 07:44:35 2013 (r324829) +++ head/security/libgcrypt/Makefile Sat Aug 17 07:56:12 2013 (r324830) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= libgcrypt -PORTVERSION= 1.5.2 +PORTVERSION= 1.5.3 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GNUPG} MASTER_SITE_SUBDIR= ${PORTNAME} Modified: head/security/libgcrypt/distinfo ============================================================================== --- head/security/libgcrypt/distinfo Sat Aug 17 07:44:35 2013 (r324829) +++ head/security/libgcrypt/distinfo Sat Aug 17 07:56:12 2013 (r324830) @@ -1,2 +1,2 @@ -SHA256 (libgcrypt-1.5.2.tar.bz2) = e41a4339f50294f3c925f2f71aaf2427eb162d2994da91666dfc32621afe963f -SIZE (libgcrypt-1.5.2.tar.bz2) = 1507418 +SHA256 (libgcrypt-1.5.3.tar.bz2) = bcf5334e7da352c45de6aec5d2084ce9a1d30029ff4a4a5da13f1848874759d1 +SIZE (libgcrypt-1.5.3.tar.bz2) = 1508530 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Aug 17 07:44:35 2013 (r324829) +++ head/security/vuxml/vuln.xml Sat Aug 17 07:56:12 2013 (r324830) @@ -51,6 +51,41 @@ Note: Please add new entries to the beg --> + + GnuPG and Libgcrypt -- side-channel attack vulnerability + + + gnupg + 1.4.14 + + + libgcrypt + 1.5.3 + + + + +

Werner Koch of the GNU project reports:

+
+

Noteworthy changes in version 1.5.3:

+

Mitigate the Yarom/Falkner flush+reload side-channel attack on RSA secret keys...

+

Note that Libgcrypt is used by GnuPG 2.x and thus this release fixes the above + problem. The fix for GnuPG less than 2.0 can be found in the just released GnuPG + 1.4.14.

+
+ + + + http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000329.html + http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html + http://eprint.iacr.org/2013/448 + + + 2013-07-18 + 2013-08-17 + + + puppet -- multiple vulnerabilities