Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Dec 2013 20:46:46 +0100
From:      Remko Lodder <remko@FreeBSD.org>
To:        Jun Kuriyama <kuriyama@FreeBSD.org>
Cc:        svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers@freebsd.org
Subject:   Re: svn commit: r336840 - head/security/vuxml
Message-ID:  <96ED3AB2-C214-4D66-A9F9-0AF77CD48A8D@FreeBSD.org>
In-Reply-To: <201312181522.rBIFMx07048742@svn.freebsd.org>
References:  <201312181522.rBIFMx07048742@svn.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


On 18 Dec 2013, at 16:22, Jun Kuriyama <kuriyama@FreeBSD.org> wrote:

> Author: kuriyama
> Date: Wed Dec 18 15:22:59 2013
> New Revision: 336840
> URL: http://svnweb.freebsd.org/changeset/ports/336840
>=20
> Log:
>  Add about gnupg-1.4.16.

Hi Jun,

The alignment looks a bit weird, please look at my inline comments.

>=20
> Modified:
>  head/security/vuxml/vuln.xml
>=20
> Modified: head/security/vuxml/vuln.xml
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
> --- head/security/vuxml/vuln.xml	Wed Dec 18 15:14:55 2013	=
(r336839)
> +++ head/security/vuxml/vuln.xml	Wed Dec 18 15:22:59 2013	=
(r336840)
> @@ -51,6 +51,51 @@ Note:  Please add new entries to the beg
>=20
> -->
> <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">;
> +  <vuln vid=3D"2e5715f8-67f7-11e3-9811-b499baab0cbe">
> +    <topic>gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic =
Cryptanalysis attack</topic>
> +    <affects>
> +      <package>
> +	<name>gnupg</name>
> +	<range><lt>1.4.16</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns=3D"http://www.w3.org/1999/xhtml">;
> +	<p>Werner Koch reports:</p>
> +	<blockquote =
cite=3D"http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html=
">
> +	  <p>CVE-2013-4576 has been assigned to this security bug.</p>
> +
> +	  <p>The paper describes two attacks.  The first attack allows
> +to distinguish keys: An attacker is able to notice which key is
> +currently used for decryption.  This is in general not a problem but
> +may be used to reveal the information that a message, encrypted to a
> +commonly not used key, has been received by the targeted machine.  We
> +do not have a software solution to mitigate this attack.</p>
^^ it seems that there is no indentation here. It should jump in two =
spaces
from the <p> stanza, where 8 spaces becomes a tab.

Can you have a look at that?

Thnx!
Remko

> +
> +	  <p>The second attack is more serious.  It is an adaptive
> +chosen ciphertext attack to reveal the private key.  A possible
> +scenario is that the attacker places a sensor (for example a standard
> +smartphone) in the vicinity of the targeted machine.  That machine is
> +assumed to do unattended RSA decryption of received mails, for =
example
> +by using a mail client which speeds up browsing by opportunistically
> +decrypting mails expected to be read soon.  While listening to the
> +acoustic emanations of the targeted machine, the smartphone will send
> +new encrypted messages to that machine and re-construct the private
> +key bit by bit.  A 4096 bit RSA key used on a laptop can be revealed
> +within an hour.</p>
> +	</blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2013-4576</cvename>
> +      =
<url>http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html</u=
rl>
> +    </references>
> +    <dates>
> +      <discovery>2013-12-18</discovery>
> +      <entry>2013-12-18</entry>
> +    </dates>
> +  </vuln>
> +
>   <vuln vid=3D"0c39bafc-6771-11e3-868f-0025905a4771">
>     <topic>asterisk -- multiple vulnerabilities</topic>
>     <affects>
> _______________________________________________
> svn-ports-all@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/svn-ports-all
> To unsubscribe, send any mail to =
"svn-ports-all-unsubscribe@freebsd.org"

--=20

/"\   Best regards,                      | remko@FreeBSD.org
\ /   Remko Lodder                       | remko@EFnet
 X    http://www.evilcoder.org/          |
/ \   ASCII Ribbon Campaign              | Against HTML Mail and News


--Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJSs00mAAoJEKjD27JZ84ywjSEP/1KpGzbJyhy72fqKTrPtJX56
4tFqGJuoHa+g4BRXL8+YsWeo4BcEdTgF9h+wfcsmsnBDfgSNg4TanGja3XDswWvX
etGZeAXA8AQpvRPFceZUlgHAp1t8MfraxeetLM0zxzSyOSGP9ygolp2zcpcTDHWE
pNHHLCw6KIJGVupndNjsLkGHfyX0hqPPV0gnYFeHCq1j0a7pg1tYBFdSGIM0zEAw
bSkW8CEomiQtEkRrZqktzHFxhZ/vqq0B9NudyJBu8x4a2Lq5VC0OnxFwckZGPQoF
dtU05+8kkTC4xFoZmzwbdl1FONnas9KMQ7gFW1OPAZ0lihSZr5QvQXQKP5jUdUQc
6pT0AQc+hjSmTpXz43IztUajZiX2244VwJLv9qlJ7tQKm+TH9cGmO8aJQiH7rl/l
qM4t70VoWEgIJ67wAnL/NFe+mGIzNY429rao07efpYHeB+PmZo+vUkX8KCflLrtr
J4EHcKYEOpx63Y+3C0qiCFjWL7D28NFyZyKU1r//n7dMTjTg0mfmN+M0XRoit79h
xEEKMh/zbkVF7nEyNht34Pwe87j7Ju1Q20CZ59EsvNiA2fMzPMX6BXTCk8cCHkTy
JRsEsQcqkzOfTeDz5ToghEWbgsNPNP+18XKjBMXjAf2K/U24FuptdJtyTgZaCZF/
97qQcXtW5L8jwsODQgc8
=5j/N
-----END PGP SIGNATURE-----

--Apple-Mail=_E3789882-5FBA-4051-A556-8B90FD13C281--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96ED3AB2-C214-4D66-A9F9-0AF77CD48A8D>