[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of libgcrypt11?

Hi Chris, GnuPG maintainers, GnuTLS maintainers and LTS team

I have now prepared an updated libgcrypt11 package.
I have simply taken the two patches from libgcrypt20 and applied them
to libgcrypt11. They applied cleanly with just a little "fuzz".

The debdiff is available here:

And the prepared packages are available here:

I have not tried to reproduce the problem reported as I'm not an
expert in cryptography mathematics. And especially not random
generators. If anyone knows of a tool to reproduce the random
generation problem I'm eager to know.

Regarding regression testing I have installed the built package and
tried a few tools that depend on libgcrypt11. However I'm not sure I
trigger this function in some way. If anyone know of a good way to do
regression testing of libgcrypt11 I'm eager to know that too.

As this is such a critical function (as Chris clearly pointed out) I'd
like as many as possible to have a look at what I have done.

If I do not hear any objections in four days I'll upload the
correction. That is on Monday next week.

Thanks in advance and best regards

// Ola

On Thu, Aug 18, 2016 at 11:26 AM, Chris Lamb <lamby@debian.org> wrote:
> [Adding Ola Lundqvist <ola@inguza.com> to CC]
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of libgcrypt11:
>> https://security-tracker.debian.org/tracker/CVE-2016-6313
> Ola, I notice that you have claimed this package in data/dla-needed.txt.
> As this is an especially sensitive package, it would seem prudent to
> get as many eyes on your debdiffs prior to upload, either from the GnuPG
> maintainers and/or on the debian-lts list.
> Regards,
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: